Key User IDs are not updated when Display Names change in Active Directory
Last Updated January 14, 2019
When a user account with an SKM mode key is first added to Encryption Management Server, the User ID of the key matches the Display Name of the user as it appears in Active Directory. For example, if the user's Display Name in Active Directory is "Last, First", the User ID of their key would be "Last, First <email@example.com>". By default, when an email message for that user is decrypted, this User ID is included in the "Smart Annotations" within the body of the message.
However, if the user's Display Name is changed in Active Directory, the User ID of the user's key is not updated when periodic regrouping runs. Note that the user's Display Name in their Encryption Management Server account is updated by periodic regrouping.
Encryption Management Server release 3.3 and above.
User accounts using SKM key mode.
Entries similar to the following appear in the Groups log if the Active Directory Display Name changes from "Last, First" to "Last, Second", but only in debug mode:
2019/01/09 17:29:34 +00:00 DEBUG pgp/groupd: LDAP-00000: found stale primary user id "Last, First <firstname.lastname@example.org>" on key 0xFFE04D60E74EA3F6
2019/01/09 17:29:34 +00:00 DEBUG pgp/groupd: LDAP-00000: can't locate user id "Last, Second <email@example.com" on key 0xFFE04D60E74EA3F6
This issue can be worked around by revoking the user's key and re-enrolling the user. This will generate a new key with the correct User ID.
To change the User ID of a key so that it matches the user's display name, please contact Symantec Technical Support.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe