When attempting to enroll a Symantec Encryption Desktop (previously PGP Desktop) client with a Symantec Encryption Management Server (previously PGP Universal Server) the Enrollment Assistant fails or does not continue. This article provides some areas to troubleshoot client enrollment with a Symantec Encryption Management Server.
Symantec Encryption Management Server Logs
Client logs display messages about connections made from Symantec Encryption Desktop clients. For example, Symantec Drive Encryption (previously PGP Whole Disk Encryption) event notices include device detection, disk encryption or decryption, device status changes, errors during events, and WDRT use or creation.
To troubleshoot client enrollment, search the Symantec Encryption Management Server logs for the email address, username, or IP address of the user unable to enroll with the server.
To view the client logs:
- Access the Symantec Encryption Management Server administrative interface.
- Click the Reporting card and select the logs tab.
- In the Systems Logs, click the drop down arrow and select Client. The client logs are displayed.
When receiving an error regarding Invalid credentials, it generally due to the user account with a incorrect password. Check the user account password in Active Directory and the password of the Bind DN user specified on the Symantec Encryption Management Server.
You can verify your Directory Synchronization by testing the connection to your LDAP server. For an article on testing LDAP connections, click here.
User not found in directory
If the user is rejected due to not being found in the directory, check the following areas:
- Confirm the Base DN in the Directory Synchronization settings is correct.
- Confirm the username and passphrase for the Bind DN and re-enter if necessary. Click Test Connection to confirm your configuration is correct.
Note: Directory Synchronization is configured selecting the Internal User Policy tab on the Policy card in the Symantec Encryption Management Server administrative interface.
- Confirm your LDAP server is configured correctly for LDAP referrals. If LDAP Referrals are enabled for Directory Synchronization, but your LDAP server does not support LDAP referrals or is not being used, enrollment may fail. See the following article for more information.
- Check Global Directory settings. Currently Symantec Encryption Management Server supports the usage of Global Directory on a single domain only.
When LDAP Directory Synchronization fails, client enrollment may fail with an error message regarding failure to import a license number. Click here for additional information when your receive the error Failed to import License Number, error -11933.
If you are not using Global Directory, check the following settings on the Symantec Encryption Management Server:
- Managed Domain - confirm the email domain matches the Managed Domain on the Symantec Encryption Management Server.
- Mail Queue - Check if messages are stuck in the Mail Queue. See the following article for more information.
- Mail Route configuration. Click here for an article on Managing Mail Routes.
If enrollment of the Symantec Encryption Desktop client fails immediately, examine the following areas:
- Check for any proxy server or firewall settings which may cause connection issues. Click here for additional information.
- Confirm the PGPSTAMP for Symantec Encryption Desktop in the Windows Registry is correct. See the Symantec Encryption Desktop Registry Entries section in the following article.
- Check network connectivity to the Symantec Encryption Management Server.
- Check network DNS (forward and reverse lookups) settings.
- Try to connect to the server via Telnet over port 443.
- Use the PING utility to confirm you can contact the Symantec Encryption Management Sever.
If connectivity issues persist, try restarting the Symantec Encryption Management Server.
Missing registry entries, third-party software, and other conflicts may cause the Next button to remain grayed out. Thereby not allowing you to continue enrollment. See the following articles for additional troubleshooting :
Lotus Notes: Enrollment Fails if the Enrollment Message is Relayed Through an Exchange Connector.
PGP Email Proxy Fails or Next Button Grayed out during Enrollment.
PGP Enrollment Assistant Next button remains grayed out after receiving enrollment messenger.
Some environments require the use of User and Machine certificates for authentication and some IT Helpdesk Personnel will have multiple certificates generated for them automatically for each system they log in to.
This can cause timeouts when the Symantec Encryption Management Server is querying the Domain Controller to pull the Users Profile.
To resolve this issue do one of the following:
- Delete any unnecessary certificates from the users directory profile.
- Contact Technical Support if certificate enrollment and/or SMIME encryption is not being used and have the certificates ignored by the Symantec Encryption Management Server using LDAP customizations.