Users not grouped properly if certificates from Active Directory are rejected (PGP Server Unable to Group Users)
search cancel

Users not grouped properly if certificates from Active Directory are rejected (PGP Server Unable to Group Users)


Article ID: 247593


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


Symantec Encryption Management Server has the ability to group users based on their standing in Active Directory.  For example, if you have a Security Group called "PGP Power Users", you can place users in these AD Security Groups and then create an associated group on the PGP server to be able to automatically match and group these users.  When this is done, the PGP users can appear in their corresponding groups and the PGP Admin does not need to manually add them to groups. 

In addition to the PGP Server being able to group users automatically, user's certificates can also be grouped such that if they are available, they can be used for Email Encryption.  In these scenarios, the PGP server must trust the Certificate Authority to be able to group these users. If the Certificate Authority is not trusted, you may see the following error when attempting to group users:


2022/08/05 14:35:44 -07:00  INFO   pgp/groupd[2965]:       LDAP-00000: found certificate "CN=username, [email protected], OU=Users" (issuer: "CN=CONTAINER-HERE") [rejected - not signed by a trusted certificate]

The Certificates would be harvested and used only for SMIME Email Encryption. 


When this happens, it is necessary to both Import and Trust the Certificate Authority in the Trusted Keys of the PGP server.  Once this is done, the PGP server will trust certificates that are harvested from Active Directory via the Directory Sync service.

To do this, go to Keys, Trusted Keys, and click "Add Trusted Key" at the bottom of the page.

In the screenshot above you can see that all three options are checked.  This will eliminate any future issues with this CA as they should all be trusted automatically.

Once this is done, then try to group the users again by clicking the "Save" button on any group (without making any changes).  This will cause the grouping process to start.

Depending on how large the directory is and how many PGP users are on the server, this could take some time:

222563 - Grouping Changes in Active Directory group membership take hours to update Symantec Encryption Management Server (PGP Server)


If the above does not work, reach out to Symantec Encryption Support for some further guidance as there is a way to disable the X.509 certificate importation if SMIME is not being used with PGP.

Additional Information