When a user account with an SKM mode key is first added to Encryption Management Server, the User ID of the key matches the Display Name of the user as it appears in Active Directory. For example, if the user's Display Name in Active Directory is "Last, First", the User ID of their key would be "Last, First <firstname.lastname@example.org>". By default, when an email message for that user is decrypted, this User ID is included in the "Smart Annotations" within the body of the message.
However, if the user's Display Name is changed in Active Directory, the User ID of the user's key is not updated when periodic regrouping runs. Note that the user's Display Name in their Encryption Management Server account is updated by periodic regrouping.
Symantec Encryption Management Server release 3.4.2 MP2 and below.
User accounts using SKM key mode.
Entries similar to the following appear in the Groups log if the Active Directory Display Name changes from "Last, First" to "Last, Second", but only in debug mode:
2019/01/09 17:29:34 +00:00 DEBUG pgp/groupd: LDAP-00000: found stale primary user id "Last, First <email@example.com>" on key 0xFFE04D60E74EA3F6
2019/01/09 17:29:34 +00:00 DEBUG pgp/groupd: LDAP-00000: can't locate user id "Last, Second <firstname.lastname@example.org" on key 0xFFE04D60E74EA3F6
Upgrade to Encryption Management Server 3.4.2 MP3 or above.
To workaround this issue in releases prior to 3.4.2 MP3, revoke the user's key and re-enroll the user. This will generate a new key with the correct User ID.
Subscribing will provide email updates when this Article is updated. Login is required.