A customized PGP Desktop client is unable to bind/enroll with a Universal Server. Binding or enrollment is the process of connecting a PGP Desktop client to a PGP Universal Server so that the policies and settings created on the PGP Universal Server can be synchronized with the PGP Desktop client. A successfully bound client is constantly communicating with the PGP Universal Server for policy updates and key lookups. Various problems can arise if the client is not configured properly, or if the PGP Universal Server itself is not configured properly.
Some indications that the client is not binding correctly are exhibited by the following errors:
Requires a valid Enterprise License
Unable to enroll: Bad parameters error -12000
The configuration server rejected your credentials
The next button is grayed out when enrolling with email
Unable to enroll error 10931 (Invalid Credentials)
Corrupt data (Possible proxy issues)
Item not found (Invalid ldap credentials or missing attributes in ldap directory)
Unknown error 11980
Unable to contact configuration server
Cause(s) and Resolution(s)
The following are some of the most common causes for a binding or enrollment failure and some suggestions for resolving such issues:
1. Old PGP Preferences - Once PGP Desktop has been removed from the system, delete the PGP Corporation folder located in Application Data of the user's profile. Typing "Echo %appdata%" at a Command Prompt will show you this location. The files pgpprefs.xml and pgppolicy.xml that are stored in this location can conflict with enrollment. Typing
%appdata% in the address bar of Windows Explorer will navigate directly to this location
The PGPprefs.xml contains all the settings of PGP Desktop software. This lingering file from an older install can sometimes interfere with a clean installation/enrollment. The PGPpolicy.xml file will also contain specific policy information for PGP Desktop and once enrollment is successfully completed, new files will be created with the correct information.
If you have stored your keyring files in the Application Data directory (pubring.pkr and secring.skr), you may want to move them to a different location if you intend to use them in the future.
Also, if you would like a fresh install to create new PGP Keys, you will want to delete the PGP folder in My Documents, which is the default location for PGP keyring files.
2. Incorrect DNS - Forward and Reverse DNS records should be configured properly in order for PGP Universal to make a proper query (A and PTR records). This means keys.domain.com resolves to an
IP address and the IP address resolves to
keys.domain.com. Using nslookup from a command prompt can help in verifying that these records have been correctly set.
3. No email address for user- The user entered in the Bind DN field on the PGP Universal Server for Directory Synchronization does not have an email address listed within their profile such as in Active Directory. Make sure the user you have entered in the Bind DN of Universal Server has an email address entered in the ldap directory. Also, make sure the user you are trying to enroll has an email address entered in the ldap directory. The PGP Universal server will query for this attribute when attempting to locate a user during enrollment, whether you are performing email encryption or not.
4. Ports are blocked - Make sure connections from the client to the server are not being blocked and from the server to the LDAP directory (if enrolling with LDAP) or the email server (if enrolling with email). The following ports need to be open:
Proxy Server settings can interrupt enrollment communications-If a proxy server is listed in the LAN settings of Internet Explorer, PGP Desktop will attempt to use the proxy server to communicate with the PGP Universal Server, and the enrollment process could be halted.
Listing an exception in IE to bypass the proxy server for connections made to the PGP Universal Server will let PGP Desktop connect normally to the PGP Universal Server.
Note: This exception should list a FQDN instead of a WINS name. A rule on the proxy server may also need to be added to bypass the proxy server for any connections made to the PGP Universal Server.
It is also worth noting that proxy exceptions should be separated with semi-colons, not commas. PGP Desktop will not parse commas in the proxy exception list.
5. Incorrect ldap credentials - If using ldap enrollment, make sure the ldap credentials have been properly entered. Using an ldap browser such as Softerra can determine if you are entering in the correct Bind DN under the Directory Synchronization button on PGP Universal server.
Bind DN is where the user's Distinguished Name is entered that you are trying to query the ldap directory with. This is telling the PGP Universal Server which credentials to use when attempting to query the LDAP directory.
The following attributes are queried by the Universal server if Directory Synchronization is enabled:
All these attributes (except Usercertificate and binary) need to be present in the directory in order to enroll successfully.
Note: A simple method to find the correct Bind DN that is needed for the Universal Server can be queried from Active Directory at the command prompt on a Windows 2003 Server. Example.com is the domain in this example in finding the Distinguished Name(The Bind DN field for the PGP Universal Server) for the user example1. After obtaining the correct Distinguished Name, an LDAP browser program such as Softerra can be used to find users, attributes, and values. Please use the steps below to query for the Bind DN. This command is only applicable with Active Directory under Windows Server 2003.
dsquery user dc=example,dc=com,-name example1* (If your user has a long name, the * will do a wildcard match for that user.)
dsquery user dc=example,dc=com -name "example1"
This command will return the correct Bind DN for Directory Synchronization on the PGP Universal Server.
A Base DN may also need to be entered depending on what ldap directory that is being used. For Active Directory 2003, it is required.
6. Incorrect or Missing Managed Domain - The email address of the user should match the Managed Domain on the PGP Universal server. The domain listed on the mail attribute in the ldap directory should also be entered as a Managed Domain on the PGP Universal server if alias email addresses are being used.
Example: JoeUser@myowndomain.com should have 'myowndomain.com' listed as one of the Managed Domains under Organization/Managed Domains on the Universal Server web console.
7. Misconfigured Custom Installer.
A. When downloading the custom install for the PGP Desktop client, Auto-detect should be used if you are enrolling with ldap. Auto-detect allows the PGP Universal server to assign PGP Users into groups based on LDAP attributes according to the different PGP Desktop policies you have created on the PGP Universal Server. If attributes change for individual users, the user will automatically be placed in the correct group based on the LDAP attributes as soon as the user next contacts the PGP Universal Server.
B. If not using ldap enrollment, Preset policy should be used. This requires a specific installation file for each PGP Desktop policy specified on the PGP Universal server.
Note: Preset policies will be overridden when used with Directory Synchronization. Preset policies assign users into groups based policy specified in the custom installer. PGP Desktop users will stay in this policy until a new custom installer with a different group is deployed. If Directory Synchronization is used and attributes have been specified, users will be moved into their appropriate groups respectively.
C. Email binding: If the custom install is enrolling with email, or if email encryption will be used, the correct mail server to which your client is connecting to for email must be specified. A good rule of thumb is to copy and paste what is entered in the email client. This could be the entire FQDN of the email server or possibly just the WINS name in the case of Microsoft Exchange. If the PGP Desktop clients are not enrolling via email or email encryption will not be used, a mail binding still needs to be entered for enrollment to complete successfully.
8. LDAP Referrals is not supported - Make sure "Enable LDAP Referrals" is disabled on the Universal Server if your current LDAP server such as Active Direcory does not have this functionality enabled.
Imported Document ID: TECH148941
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.