Encryption Desktop users are not prompted to authenticate with Encryption Management Server
search cancel

Encryption Desktop users are not prompted to authenticate with Encryption Management Server


Article ID: 217002


Updated On:


Desktop Email Encryption Desktop Email Encryption, Powered by PGP Technology Drive Encryption Drive Encryption Powered by PGP Technology Encryption Management Server Encryption Management Server Powered by PGP Technology


After an Encryption Desktop user enrolls to Encryption Management Server, they are not prompted to authenticate each time Encryption Desktop communicates with Encryption Management Server.


  • Symantec Encryption Desktop 10.4.2 and above.
  • Symantec Encryption Management Server 3.4.2 and above.


This is by design.


If Encryption Management Server is configured to use Directory Synchronization with Microsoft Active Directory, clients can use directory authentication to enroll. To enable this, from the Encryption Management Server administration console, navigate to Consumers / Directory Synchronization and click on the Settings button, then enable the option Enroll clients using directory authentication:

When a client enrolls, Encryption Management Server validates their credentials with Active Directory and issues the client with a token.

Encryption Management Server does not store the client's Active Directory credentials.

Whenever a client communicates with Encryption Management Server after the initial enrollment, it uses the token to authenticate and does not prompt the user for credentials. Active Directory is not part of this authentication process.

Note that if Directory Synchronization with Active Directory is enabled on Encryption Management Server, Encryption Management Server will periodically check whether users enrolled to Encryption Management Server still exist in Active Directory and also check for updates to their email addresses and security group memberships. Encryption Management Server uses a dedicated Active Directory service account to do this. This account is configured within LDAP Directory settings: