PGP Desktop LDAP Enterprise Enrollment

8/14/2019 PGP Desktop LDAP Enterprise Enrollment

1/6

PGP Desktop LDAP Enterprise Enrol lment

This document provides a technical, experiential, and chronological overview of PGP Desktops

LDAP enterprise enrollment process. Each step of the enrollment process is highlighted in bold,

and includes a detailed explanation. If you just want an overview, you can simply read the bold

statement that begins each step or sub-step.

All paths, filenames, and other special details are offset in a contrasting font with gray text, as in

the following example:

%APPDATA%\ PGP Corpor at i on\ PGP

1. PGP Desktop is installed.Although the actual enrollment process does not technically

begin when PGP Desktop is installed, the following install-time events (1a 1b) will facilitate

various steps essential to the enrollment process, and are included for completeness:

a. A shortcut to PGPt r ay. exe is placed in the All Users startup directory.This

shortcut will cause the PGP Setup Assistant to be launched automatically after the next

Windows logon.

Following is the full path and name of this shortcut file:

%ALLUSERSPROFI LE%\ Star t Menu\ Pr ogr ams\ Star t up\ PGPt r ay. exe. l nk

Following is the full path and name of the program that will be launched after the next

Windows logon:

%PROGRAMFI LES%\ PGP Cor por at i on\ PGP Deskt op\ PGPt r ay. exe


2/6

b. A nul l-terminated st ring cal led PGPSTAMP is created in the Windows registry.The

value of PGPSTAMP comprises, among other things, the fully qualified domain name of

the PGP Universal Server from which this PGP Desktop installation will request policy.

This value is also known as PGP Desktops binding (i.e. PGP Desktop is bound to the

PGP Universal Server specified in this string).

Following is the full path and name of this null-terminated string in the registry:

HKEY_LOCAL_MACHI NE\ SOFTWARE\ PGP Cor por at i on\ PGP\ PGPSTAMP

Following is an example PGPSTAMP value. Note that ovid is the name of the PGP

Universal Server to which PGP Desktop is bound. So in this example, PGP Desktop is

bound to the keys . exampl e. comPGP Universal Server:

ovi d=keys. exampl e. com&mai l =mai l - 01&admi n=1

2. The computer is rebooted.This is a necessary step because after installation PGP Desktop

cannot be used until the computer is rebooted.

3. The user logs on to Windows and PGPtray.exe is executed. The following noteworthy

events (3a 3c) occur during this step:

a. PGP Desktop synchronizes with its PGP Universal Server.During this brief step,

PGP Desktop announces its protocol version and asks PGP Universal Server for theenrollment type (email or LDAP) by sending a Get Capabi l i t i esRequest message.

The server responds with the enrollment type and the connection is closed. This, and all

other client-server communication during enrollment, occurs via SOAP over HTTPS on

port 443.

b. If configured, the PGP Desktop padlock appears in the system tray.This event

depends on whether the option Show PGP Desktop in system tray/menu was enabled

in the user policy for this PGP Desktop installer. Following is a screenshot of the padlock

icon as it appears in the Windows system tray:

c. The PGP Setup Assistant launches.When the enrollment type is LDAP, the user is first

prompted for their domain authentication credentials (as in the following screenshot):


3/6

4. The user authenticates.This step consists of the user typing his or her domain user name

and password in the appropriate fields and clicking the Next > button, after which the

following noteworthy events (4a 4c) occur:

a. PGP Desktop sends the users credentials to its PGP Universal Server.During this

step, PGP Desktop also announces its version number (e.g. 9. 5. 3. 5003) to PGP

Universal Server, and displays the following dialog on top of the PGP Setup Assistant:


4/6

b. PGP Universal Server verifies the users credentials.To accomplish this task, PGP

Universal Server authenticates to the LDAP directory as the enrolling user. This process

is described in detail below.

PGP Universal Server first binds to the LDAP directory using the credentials specified in

its Directory Synchronization settings (Policy > Internal User Policy), then requests the

value of the distinguished name attribute ( dn) for the enrolling user. Depending on how

Directory Synchronization is configured, this query is accompanied with a filter for either

Active Directory or OpenLDAP (RFC 1274) directories. Following are examples of

these filters, where pgpuser is the user name provided by the enrolling user:

Active Directory filter: ( sAMAccount Name=pgpuser )

OpenLDAP (RFC 1274) filter: ( ui d=pgpuser )

The directory server then responds with the value of the users dn attribute, which

typically looks something like this example:

CN=pgpuser , CN=User s, DC=exampl e, DC=com

PGP Universal Server closes the connection to the LDAP directory, then initiates a new

connection and binds with the distinguished name and password of the enrolling user.

When this is successful, PGP Universal Server once again closes the connection to the

LDAP directory and the user is considered authenticated.

c. PGP Universal Server assigns the user to an internal user policy.In order to

complete this step, PGP Universal Server must gather more information about the

enrolling user from the LDAP directory. As a result, PGP Universal Server queries the

LDAP directory for the values of the following attributes:

mai l

proxyAddr esses (Active Directory only)

cn

samAccount Name (Active Directory only)

After querying for the above attributes, PGP Universal Server will query for any custom

attributes specified by the administrator in the internal user policies.


5/6

NOTE: If custom attributes have been specified, the user will be assigned to the first

internal user policy for which they have a matching attribute/value. As a result, PGP

Universal Server administrators should use unique attributes/values such that users

cannot match more than one internal user policy.

Finally, PGP Universal Server queries for the following attribute:

user Cert i f i cat e; bi nary

If a verified X.509 certificate is returned by this query, PGP Universal Server imports it as

the users key. This will place the user in client key mode (CKM) because PGP Universal

Server will only have a public key for the user.

At this point, PGP Universal Server updates the i nt ernal _user table in its databasewith the information gathered in this step. The user is now allowed to continue the PGP

Setup Assistant. Note that, in its entirety, step four takes approximately two seconds.

5. The user is allowed to complete the PGP Setup Assistant. The remaining steps will vary

based on the internal user policy settings configured by the PGP Universal Server

administrator.

Below is a summarized list of the requirements for successful LDAP enrollment with PGP

Desktop.

Required Attributes

The following directory attributes must be defined, and have a value, in order for LDAP enrollment

with PGP Desktop to be successful. Note that Microsoft Active Directory 2000/2003 with

Exchange Server will have all required attributes, while other directory/mail server combinations

may not.

ui d or samAccount Name (interchangeable)

dn (this will exist if the user exists)

mai l or proxyAddr esses (interchangeable)

cn (for the users display name in PGP Universal Server)

Optional Attributes

Any custom attributes specified in internal user policies.


6/6

user Cert i f i cat e; bi nary

Password Requirement

The enrolling user cannot have a null password in the directory. This is a security feature of PGP

Desktop, and allows PGP Universal Server to verify the users authentication credentials as a partof the enrollment process.

Documents

PGP Desktop LDAP Enterprise Enrollment