PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)
search cancel

PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)

book

Article ID: 197991

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

PGP Encryption Server Directory Synchronization can connect to Windows Active Directory domain controllers for enrollment, user validation and authentication.

The security of Active Directory domain controllers is paramount and whenever using LDAP functionality, configuring the DC to reject LDAP (Non-TLS) simple binds that are performed on a clear text connection. Therefore the PGP Encryption Server should be configured to use LDAPS not LDAP.

LDAP uses port 389 for clear-text queries, and if the domain controller is a global catalog server, port 3268.

 

LDAPS uses port 636 for secure/encrypted connections to the DC and if the DC uses a global catalog server, port 3269.

 

The PGP Encryption Server does not need to trust the certificates in the issuing chain of the domain controller's certificate and will work out of the box without special configuration.

However; if you specify the domain controller Hostname as an IP address, the LDAPS connection will fail when you click the Test Connection button:

The following Information message will be logged to the Administration log where 192.168.1.100 is the IP address of the domain controller and 3269 is the port:

Test LDAP connection fail: 192.168.1.100:3269

Cause

TLS connections rely on the Hostname matching the Common Name (CN) of the domain controller's certificate.

Resolution

As LDAPS should always be used, always specify the FQDN (fully qualified domain name) of the domain controller in the Hostname field when configuring Directory Synchronization.
Using the FQDN allows proper TLS certificate validation to be completed.

This name should match the Common Name (CN) of the domain controller's certificate.

For more general information on how to configure Directory Synchronization, see the following article:

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

Additional Information

171746 - PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

153670 - PGP Encryption Server Administrator Roles (Symantec Encryption Management Server)

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

180156 - Obtain the Base DN or Bind DN Attributes for LDAP Directory Synchronization for PGP Encryption Server

153668 - Enroll PGP Encryption Desktop clients using Directory Authentication with PGP Encryption Server (Symantec Encryption Management Server)

153425 - Troubleshooting: PGP Encryption Desktop Client Enrollment (Symantec Encryption Desktop)

171744 - PGP Administrator Password Complexity Enforcement via Passphrase Authentication (Manual Password Assignment)

216163 - Reset Password for Administrators on Symantec Encryption Management Server (PGP Server)

 

197991 - PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)

EPG-25051