search cancel

Encryption Management Server cannot look up user certificates stored in Active Directory


Article ID: 171446


Updated On:


Encryption Management Server Gateway Email Encryption


Active Directory can store S/MIME certficates for users and Active Directory servers can be added as X.509 Keyservers in Encryption Management Server under Keys Keyservers.

However, Active Directory servers require authentication and it is not possible to add authentication credentials using the Encryption Management Server administration console. Without valid Active Directory credentials, Encryption Management Server will be unable to look up user certificates in Active Directory.


Encryption Management Server 3.3 and above.


The Active Directory server needs to be added as a Keyserver with the following attributes:

  • Description: any useful description (optional). For example, dc1.
  • TypeX.509 Directory LDAP or X.509 Directory LDAPS. This will depend whether a secure connection is required. If you choose LDAPS, you will need to import the public certificates from the certificate chain of the Active Directory server certificate. Do this from Keys Trusted Keys in the administration console.
  • Hostname: the fully qualified domain name of the Active Directory server. For example,
  • Base DN: the base Distinguished Name of the Active Directory. For example, DC=example, DC=com.

Once you have added the Keyserver entry for an Active Directory server, you need to update the keyserver database table with the Distinguished Name and password of an Active Directory user that has permissions to read the S/MIME certificates of other Active Directory users.

Please contact Symantec Technical Support for assistance in updating the keyserver table.

Once the Distinguished Name and password for the Active Directory has been added to the keyserver table, you can add the Keyserver to a mail rule under Mail / Mail Policy in the administration console.