An Encryption Desktop user cannot enroll against Encryption Management Server. They are constantly prompted for their username and password.
There is a difference between the first part of the userPrincipalName (the part that precedes the @ character) and the sAMAccountName in the user's Active Directory account. For example:
The user attempts to enroll as U123456@example.com. This fails to match either userPrincipalName or sAMAccountName.
There are several possible solutions to this issue:
Encryption Management Server will try to match the username from the Encryption Desktop enrollment with the following fields from Active Directory:
The email domain will need to be in the list of Managed Domains in Encryption Management Server.
For further assistance in validating LDAP Attributes, please reach out to Symantec Encryption Support.