Encryption Management Server matches an unexpected Active Directory user during regrouping of consumers in multiple domains

book

Article ID: 184268

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Encryption Management Server may match an unexpected Active Directory user during periodic regrouping of consumers when Encryption Management Server Directory Synchronization is pointed at multiple Active Directory domains and multiple Active Directory objects have the same email address.

Cause

Encryption Management Server will attempt to find users based on email address once other search methods have failed.

When searching by email address, Encryption Management Server searches on email addresses sorted in ascending order rather than searching first on the primary email address.

Environment

  • Encryption Management Server 3.3.2 MP13 and above.
  • Directory Synchronization pointing to multiple Active Directory domains.
  • Multiple Active Directory objects with the same email address.

Resolution

Avoid giving users in different domains the same email address.

For example, Directory Synchronization is pointing to two Active Directory domains which it searches in order:

  1. Domain1
  2. Domain2

Domain1 contains a user with the following email address:

Domain2 contains a user with the following email addresses:

  1. [email protected]
  2. [email protected] - this is the primary email address
  3. [email protected]

When an email from [email protected] passes through Encryption Management Server for the first time, the user in Domain2 will be matched and an internal user record created. The internal user record will be associated with all three email addresses.

If the user in Domain2 is moved to an Active Directory container that is outside of the search scope used by Directory Synchronization then the next time Encryption Management Server regroups against Active Directory, the following will occur:

  1. Regrouping will be unable to find the user in the user's previous Active Directory container.
  2. Regrouping will search by ObjectGUID. Since the user is outside of the search scope it will not be found. 
  3. Regrouping will search by email address. Because email addresses are sorted in ascending order before being searched, the first email address to be searched will be [email protected], not the primary email address of [email protected]
  4. The user in Domain1 will be matched.
  5. The user will be placed in an Encryption Management Server group and policy depending on the Active Directory security groups that the user in Domain1 is a member of.
  6. The user will be associated only with the email address [email protected]