search cancel

Key User IDs are not updated when Display Names change in Active Directory

book

Article ID: 173390

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

When a user account with an SKM mode key is first added to Encryption Management Server, the User ID of the key matches the Display Name of the user as it appears in Active Directory. For example, if the user's Display Name in Active Directory is "Last, First", the User ID of their key would be "Last, First <[email protected]>".  By default, when an email message for that user is decrypted, this User ID is included in the "Smart Annotations" within the body of the message.

However, if the user's Display Name is changed in Active Directory, the User ID of the user's key is not updated when periodic regrouping runs. Note that the user's Display Name in their Encryption Management Server account is updated by periodic regrouping.

Entries similar to the following appear in the Groups log if the Active Directory Display Name changes from "Last, First" to "Last, Second", but only in debug mode:

2019/01/09 17:29:34 +00:00  DEBUG  pgp/groupd[2941]:       LDAP-00000: found stale primary user id "Last, First <[email protected]>" on key 0xFFE04D60E74EA3F6
2019/01/09 17:29:34 +00:00  DEBUG  pgp/groupd[2941]:       LDAP-00000: can't locate user id "Last, Second <[email protected]" on key 0xFFE04D60E74EA3F6

Environment

  • Symantec Encryption Management Server release 10.5 MP3 and below.
  • User accounts using SKM key mode.

Resolution

This issue was first resolved in Encryption Management Server 10.5 MP3 HF1 so please upgrade.

In Encryption Management Server 10.5 MP3 HF1, the following entry will appear in the Groups log if the Active Directory Display Name changes from "Last, First" to "Last, Second":

2022/03/02 14:58:07 +00:00  INFO   pgp/groupd[2079]:       LDAP-00000: added user ID "Last, Second <[email protected]>" to key "Last, First <[email protected]>" (KeyID: 0xE74EA3F6)

If the user has an S/MIME certificate, this entry will also appear:

2022/03/02 14:58:07 +00:00  NOTICE pgp/groupd[2079]:       LDAP-00000: PGP User id 'Last, First <[email protected]>' is associated with an existing certificate and will not be removed

To workaround this issue in releases below 10.5 MP3 HF1, revoke the user's key and re-enroll the user. This will generate a new key with the correct User ID.

Additional Information

EPG-25607