An Encryption Desktop user cannot enroll against Encryption Management Server. They are constantly prompted for their username and password.
There is a difference between the first part of the userPrincipalName (the part that precedes the @ character) and the sAMAccountName in the user's Active Directory account. For example:
The user attempts to enroll as [email protected] This fails to match either userPrincipalName or sAMAccountName.
There are several possible solutions to this issue:
Encryption Management Server will try to match the username from the Encryption Desktop enrollment with the following fields from Active Directory:
The email domain will need to be in the list of Managed Domains in Encryption Management Server.
The attached script will allow an administrator with SSH access to the Encryption Management Server to validate any username against Active Directory and therefore determine if it is able to enroll. To install it:
# cd /var/lib/ovid/customization
# gunzip validate_enroll.sh.gz
# openssl sha1 validate_enroll.sh
# /var/lib/ovid/customization/validate_enroll.sh [email protected] |more
# /var/lib/ovid/customization/validate_enroll.sh [email protected] 636 |more