Symantec Encryption Management Server does not distinguish between Active Directory accounts that are mail-enabled and mail-disabled.
This can result in some unexpected effects. For example, in the following scenario SEMS will attempt to send an encrypted message to all users in a mail-disabled Security Group even though the message was intended for only one recipient:
If Encryption Desktop has debug logging enabled then entries similar to the following will be seen in the log. Observe that the mail-disabled Security Group is treated as a mail-enabled Distribution Group:
DE 10:48:17 MAPI Proxy: Expanding distribution list [email protected]
DE 10:48:17 Received getinfoforaddress request
DE 10:48:17 >> sSoapContextForThread
DE 10:48:17 << sSoapContextForThread, context already created
DE 10:48:17 Plugin: sending response body, 50 bytes
DE 10:48:17 Plugin: sent body, header err = 0
DE 10:48:17 MAPI Proxy: Distribution list [email protected] contains 2 addresses
DE 10:48:17 MAPI Proxy: [0] [email protected]
DE 10:48:17 MAPI Proxy: [1] [email protected]
One of the properties of an Active Directory account is the E-mail field. In Active Directory 2003 this appears in the General tab of the account properties. For accounts that are mail-disabled, you can enter nearly any value into this field, including the email address of a mail-enabled Active Directory user. Active Directory 2003 issues a warning if you enter the email address of an existing account but does not prevent you from entering the duplicate email address.
This means that you can have duplicate email addresses in Active Directory and because SEMS does not distinguish between mail-enabled and mail-disabled Active Directory accounts, unpredictable effects can occur.
SEMS is working as designed. Email addresses in Active Directory have to be unique and must not be duplicated.
Therefore, ensure that the E-mail field of Active Directory mail-disabled Security Groups and other mail-disabled Active Directory accounts do not contain identical email addresses to those of mail-enabled Active Directory accounts. This can be accomplished either by deleting such email addresses or renaming them. For example, you could rename the email address of a mail-disabled Security Group from [email protected] to -[email protected]-.
Applies To
Active Directory 2003 (other versions are probably affected).
Symantec Encryption Management Server 3.x with Directory Synchronization enabled.
PGP Universal Server 3.x with Directory Synchronization enabled.