Encryption Desktop user cannot enroll against Encryption Management Server

book

Article ID: 161719

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

An Encryption Desktop user cannot enroll against Encryption Management Server. They are constantly prompted for their username and password.

Cause

There is a difference between the first part of the userPrincipalName (the part that precedes the @ character) and the sAMAccountName in the user's Active Directory account. For example:

The user attempts to enroll as [email protected] This fails to match either userPrincipalName or sAMAccountName.

Environment

  • Encryption Desktop 10.3.2 MP13 and above.
  • Encryption Management Server 3.3.2 MP13 and above using Active Directory Synchronization.

Resolution

There are several possible solutions to this issue:

  • Update the user's userPrincipalName in Active Directory so it matches exactly the username with which the user is trying to enroll. In the above example this would be [email protected]
  • Enroll with the user's userPrincipalName as it appears in Active Directory. In the above example this would be [email protected]
  • Enroll with the user's sAMAccountName as it appears in Active Directory. In the above example this would be U123456.

Encryption Management Server will try to match the username from the Encryption Desktop enrollment with the following fields from Active Directory:

  • sAMAccountName.
  • userPrincipalName.
  • proxyAddresses (the user record may have several, the primary is in the format SMTP:[email protected]).
  • mail (if the Active Directory account is mail-enabled this will be identical to the primary proxyAddress).

The email domain will need to be in the list of Managed Domains in Encryption Management Server. 

The attached script will allow an administrator with SSH access to the Encryption Management Server to validate any username against Active Directory and therefore determine if it is able to enroll. To install it:

  • Download the attached validate_enroll.sh.gz file.
  • Use SCP to upload it to the /var/lib/ovid/customization directory of Encryption Management Server.
  • SSH to Encryption Management Server and change to the customization directory:
    # cd /var/lib/ovid/customization
  • Decompress the file:
    # gunzip validate_enroll.sh.gz
  • Check the hash of the file:
    # openssl sha1 validate_enroll.sh
    SHA1(validate_enroll.sh)= 4538907f53994a9189ec955ede4cc879491fd5cb
  • Test the username that is having problems:
    # /var/lib/ovid/customization/validate_enroll.sh [email protected] |more
  • The script will state whether the user will be able to enroll.
  • The script will search all the LDAP Directories and all the Base Distinguished Name entries that are listed under Consumers / Directory Synchronization in the administration console.
  • The script will search both LDAP Directories and Base Distinguished Names according to the value of the Priority field in the Directory Synchronization settings.
  • If you wish to override the LDAP port that is stored in the LDAP Servers section of the Directory Synchronization settings, you can pass a different one on the command line:
    # /var/lib/ovid/customization/validate_enroll.sh [email protected] 636 |more
  • If you have not specified an LDAP Base DN in the Base Distinguished Names section of the Directory Synchronization settings, the script will derive one from the Bind DN of the stored LDAP Credentials. This will consist of the DC= entries.
  • The script searches all the LDAP Servers that are configured for each LDAP Directory. However, note that unlike the script, Encryption Management Server will only ever contact additional LDAP Servers if the first LDAP Server is unreachable.
  • The script will find and display matching User records in Active Directory. Other Active Directory object classes such as Contacts are ignored.

Attachments

validate_enroll.sh.gz get_app