Changing Active Directory Display Name removes the association between internal users and certificates
search cancel

Changing Active Directory Display Name removes the association between internal users and certificates

book

Article ID: 231969

calendar_today

Updated On:

Products

Gateway Email Encryption Encryption Management Server

Issue/Introduction

Under certain circumstances, the association between an Encryption Management Server internal user and their S/MIME certificate can be removed. This happens under the following conditions:

  1. Encryption Management Server uses Directory Synchronization with Active Directory.
  2. Internal users have S/MIME certificates that were issued by a third party Certificate Authority and imported into Encryption Management Server.
  3. The Display Name of the internal user in Active Directory changes.

If the user's Display Name in Active Directory changes, an entry like this appears in the administration console under Reporting / Logs / Group log where First Last is the user's new Display Name and [email protected] was the original Display Name in Active Directory:

added user ID "First Last <[email protected]>" to key "[email protected] <[email protected]>" (KeyID: 0x519FDB45)

After this entry has occurred, the association between the internal user and the third party certificate is removed. To confirm this, do the following from the administration console:

  1. Navigate to Consumers / Users / Internal Users.
  2. Click on the user name to open the user's record.
  3. Expand the Managed Keys section.
  4. Click on the key ID to open the Managed Key Information page.
  5. Observe that in the Certificates section, the third party certificate is missing.

Environment

Symantec Encryption Management Server release 10.5 MP3.

Resolution

This issue was first resolved in release 10.5 MP3 HF1 so please upgrade.

If you cannot upgrade, to workaround this issue please do the following:

  1. Change the user's Display Name in Active Directory so that it matches the value of the CN attribute in the Subject of the certificate. Often this will be the email address.
  2. In the administration console, navigate to Consumers / Users / Internal Users, find the user and click on the Delete button to delete the user account. 
  3. Create the user again by navigating to Consumers / Users / Internal Users, clicking on the Add Internal Users button and importing the user's certificate file (*.pfx or *.p12).

Additional Information

EPG-25914

Powered by Wolken Software