An Encryption Desktop user cannot enroll against Encryption Management Server. They are constantly prompted for their username and password.

• Encryption Desktop 10.3.2 MP13 and above.
• Encryption Management Server 3.3.2 MP13 and above using Active Directory Synchronization.

There is a difference between the first part of the userPrincipalName (the part that precedes the @ character) and the sAMAccountName in the user's Active Directory account. For example:

• userPrincipalName: jsmith@example.com
• sAMAccountName: U123456

The user attempts to enroll as U123456@example.com. This fails to match either userPrincipalName or sAMAccountName.

There are several possible solutions to this issue:

• Update the user's userPrincipalName in Active Directory so it matches exactly the username with which the user is trying to enroll. In the above example this would be U123456@example.com.
• Enroll with the user's userPrincipalName as it appears in Active Directory. In the above example this would be jsmith@example.com.
• Enroll with the user's sAMAccountName as it appears in Active Directory. In the above example this would be U123456.

Encryption Management Server will try to match the username from the Encryption Desktop enrollment with the following fields from Active Directory:

• sAMAccountName.
• userPrincipalName.
• proxyAddresses (the user record may have several, the primary is in the format SMTP:user@example.com).
• mail (if the Active Directory account is mail-enabled this will be identical to the primary proxyAddresses).

The email domain will need to be in the list of Managed Domains in Encryption Management Server. 

For further assistance in validating LDAP Attributes, please reach out to Symantec Encryption Support.