If Encryption Management Server is configured to use Directory Synchronization with Microsoft Active Directory, clients can use directory authentication to enroll. To enable this, from the Encryption Management Server administration console, navigate to Consumers / Directory Synchronization and click on the Settings button, then enable the option Enroll clients using directory authentication:

When a client enrolls, Encryption Management Server validates their credentials with Active Directory and issues the client with a token.

Encryption Management Server does not store the client's Active Directory credentials.

Whenever a client communicates with Encryption Management Server after the initial enrollment, it uses the token to authenticate and does not prompt the user for credentials. Active Directory is not part of this authentication process.

Note that if Directory Synchronization with Active Directory is enabled on Encryption Management Server, Encryption Management Server will periodically check whether users enrolled to Encryption Management Server still exist in Active Directory and also check for updates to their email addresses and security group memberships. Encryption Management Server uses a dedicated Active Directory service account to do this. This account is configured within LDAP Directory settings: