HOWTO: Configure PGP Invisible Silent Enrollment
|Article:HOWTO77014|||||Created: 2012-05-14|||||Updated: 2013-02-13|||||Article URL http://www.symantec.com/docs/HOWTO77014|
HOWTO: Configure PGP Invisible Silent Enrollment (aka Super Silent Enrollment)
PGP Desktop Invisible Silent Enrollment eliminates the typical enrollment screens PGP Desktop users would see during the enrollment process. Once a user logs in to the system, no screens are displayed and all the enrollment processes are handled in the background such as User creation, drive encryption, sending of recovery tokens to the Universal Server etc.
Note: Certain features, such as Smartcards/Tokens/PIV cards, Key Reconstruction for Keys or Local Self Recovery for Whole Disk can trigger additional screens for the user.
*Invisible Silent Enrollment applies only to LDAP Enrollment to a PGP Universal Server.
*Email Enrollment does work with Invisible Silent Enrollment.
*Invisible Silent Enrollment has also been informally referred to as Super Silent Enrollment.
*Invisible Silent Enrollment is only supported on Windows operating systems.
*LDAP enrollment must be enabled on the PGP Universal Server.
*Silent Enrollment must be checked in the consumer policy.
*Requires SKM Key Mode to be selected in the policy.
*Microsoft Active Directory Domain must be used because a call to a Microsoft specific NetGetAnyDCName is made in order to manage authentication of the user on the Domain Controller.
*A Domain User account must be used to enroll.
*A Domain Controller must be available for the Domain User authentication. If the Domain Controller is not available when the user logs in, Invisible Silent Enrollment will fail silently. If the system is not joined to a domain, this will also cause Invisible Silent Enrollment to fail, because it is not able to complete the calls it makes to find a Domain Controller.
*The PGPSTAMP must be set to use a host name and not an IP address.
*The PGP Stamp is located in HKLM\Software\PGP Corporation\PGP for Windows 32-bit
*The PGP Stamp is located in HKLM\Software\Wow6432Node\PGP Corporation\PGP for Windows 64-bit
*The PGPStamp is built in to the Customized PGP Desktop client when downloaded from the PGP Universal Server. Upon creating this customized client, ensure the proper FQDN of the Universal Server is displayed—this is important.
Important: Use “Auto Detect” when downloading the PGP Desktop customized option instead of Preset Policy. The use of Preset Policy was only intended for non-LDAP enrollment scenarios.
*The PGP Org Key must match the domain name of the FQDN for PGP Universal Server in the PGPStamp.
*If using keys.example.com for the PGPStamp, but global.com for the domain of the Org Key, this will cause enrollment to fail.
*If using keys.example.local for the PGPStamp, and example.com for the Org Key, this will cause enrollment to fail.
*If the PGPStamp lists keys.example.com, and the Org Key is only for example.local, this will fail.
*If the PGPStamp lists the IP address of the Universal Server, this will cause enrollment to fail.
*If using keys.example.com for the domain, and example.com for the Org Key, this will allow enrollment to complete successfully.
*The PGPDesktop.msi installer file must be installed to using the following msi switch:
msiexec /i C:\PGPDesktop.msi PGP_INSTALL_DISABLESSOENROLL=0
*MSI editors, such as Orca can also be used to ensure the option is included during the install. For information on modifying the PGP msi with Orca, scroll to the bottom of this article.
About Forcing Separate LDAP Authentication
Note: PGP Desktop will still use the Windows credentials automatically; the LDAP credentials are only used for authentication to PGP Universal Server. When using PGP_SILENT_FORCE_LDAP=1, the PGPsso.dat file is still created whenever PGP_INSTALL_DISABLESSOENROLL is set to “0”, however, the file is not used.
Troubleshooting Invisible Silent Enrollment Failures
Invisible Silent Enrollment was only intended to be used during the logon process. If re-enrollment is needed, remove the %appdata%\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml files. Then logoff the system, and log back on. This will trigger re-enrollment of the system.
If the user is not able to authenticate to PGP Universal Server correctly, nothing will happen to notify the user. Consult the PGPssoLog.txt file to look for information on why the failure may be occurring. The PGPsso.log file is located in the Windows Temp directory - typically C:\Windows\Temp) and examine the log to identify the problem.
The following msi switches will cause Invisible Silent Enrollment to fail:
PGP_NO_USERNAME=1 – This value creates the value DisableUsernamePrepopulation=1 in HKLM/Software/PGP Corporation/PGP or for 64-bit systems, HKLM\Software\Wow6432Node\PGP Corporation\PGP. Having this value prevents a username from being pre-populated in the enrollment field, and thus causes Invisible Silent Enrollment to fail.
PGP_INSTALL_SSO=0 – This disables the credential manager and the password will not be captured.
PGP_SILENT_FORCE_LDAP=1 – This option forces the enrollment prompt to appear reversing the effect of PGP_INSTALL_DISABLESSOENROLL set to “0”
If using Smartcards/Tokens/PIV Cards are used for Whole Disk or other PGP features, users will be prompted to enter PINs where applicable. Although this will not necessarily cause enrollment to fail, this is by design. Since drives are encrypted to the keys on the Smartcards/Tokens/PIV Cards, the PIN is what is used to authenticate/decrypt.
Check %allusersprofile%\PGP Corporation\PGP for the PGPtrustedcerts.asc file or the orgkey.asc file. If the orgkey.asc file is not present, Invisible Silent Enrollment will fail. If the Organization Key is included in the PGPtrustedcerts.asc file, then this is sufficient for Invisible Silent Enrollment to complete successfully.
If the PGP WDE policy on PGP Universal Server is set to Deny SSO, the user will be displayed an error dialog during disk encryption. Make sure PGP WDE policy either allows or requires SSO.
Editing PGPDesktop.msi with Orca
Orca can also be used to modify the installer itself to include this option.
With PGP Desktop 10.2, to modify the correct setting, open the PGPDesktop.msi file with Orca, then under the Tables Column in Orca, click on Property. In the right-pane, find the “PGP_INSTALL_DISABLESSOENROLL” value, and set to “0”. Default Value should be “-1”.
Save the changes to the .msi file and test.
Article URL http://www.symantec.com/docs/HOWTO77014