Lockout Assistance Request with Symantec Endpoint Encryption Full Disk.

Article:TECH187471  |  Created: 2012-04-26  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH187471
Article Type
Technical Solution

Product(s)

Issue



You see an "Access Denied" dialog box before the Pre-boot Authentication (PBA) screen when you start your machine.


Error



Error : Access Denied


Environment



Symantec Endpoint Encryption Full Disk v 8.2.x


Cause



SEE Full Disk offers two tools to help you regain access to your computer, should you forget your credentials or get locked out. If you get locked out of your computer because it has failed to communicate with the Symantec Endpoint Encryption Management Server, your administrator may have made One-Time Password available to you.

If you forget your password, PIN, or token, your administrator may have provided you with Authenti-Check and/or One-Time Password.

These tools are also available in the event that you receive a new token or the certificate on your token is changed. If you were not provided these tools or they fail to work, you can always contact your Client Administrator.


Solution



Lockout Assistance Request
 
If your computer is locked, the Startup screen will not be displayed after you power on, instead, you will see an "Access Denied" dialog.

If you believe you may have been provided with the OTP Communication Unlock feature, click HelpDesk Assisted Unlock. The Account Information dialog appears.

Type your user name in the User name field and select your domain or local computer name from the Domain drop-down list. Click OK. If you do not have the feature available, you will be notified. Contact your Client Administrator. If you do have the feature available, refer to “One-Time Password”

Logon Assistance Request
 
Basics
After clicking Logon Assistance from either the password or the token logon, one of the following will occur. You will be advised that neither Authenti-Check or One-Time Password is available. Contact your Client Administrator and customizable message will be displayed 
 
Logon Assistance Features Available
 
If one or more logon assistance features have been provided, the following window will be displayed.

The text within this window is customized by your administrator. It should provide you with instructions as to how to contact the help desk.
 
Authenti-Check
 
Basics
The logon assistance will begin with Authenti-Check, if you have Authenti-Check available. If the Authenti-Check window does not display, skip to “One-Time Password”
 
Prompts
 
Authenti-Check will begin by asking you the answers to the questions that you pre-established.


In each box that appears below a question, type the correct answer. Make sure that you enter the answer exactly as you entered it when you defined it. Note that punctuation matters. The answers are not case-sensitive. If an Authenti-Check answer is long (up to 99 characters may be allowed by policy), the characters that you type at the beginning of the answer may move out of view as you continue to type. You can press the arrow keys or HOME and END keys to scroll through your answer, or you can use SHIFT in combination with arrow keys to select text.

If you need to delete some or all of the text of a long answer, use one of the methods below to ensure that the non-visible characters are deleted: To delete the entire answer, press END, then SHIFT+HOME. All text becomes highlighted. Press DELETE.

To delete part of the answer, use an arrow key to move to the right of the characters in question, then press BACKSPACE until all of the characters that you intended to delete are removed. You could also move to the left of the characters, then press DELETE. Replace any deleted text with correct information, as appropriate.

Once you have entered your answers, click Next. Go to the appropriate section:
 
 “Success, Token-Only User”
 “Success, User with Symantec Endpoint Encryption Password, SSO Enabled”
 “Success, User with Symantec Endpoint Encryption Password, SSO Not Enabled”
 “Failure, OTP Not Enabled”
 “Failure, OTP Enabled”

Success, Token-Only User
If the Authenti-Check process ends successfully and SSO is enabled, Windows will proceed to load. If SSO is not enabled, you are prompted to authenticate to Windows. Once Windows loads, you should take one of the following actions:

If you have forgotten your PIN, contact the appropriate administrator.  If you have forgotten your token or have a new token, the User Client Console will launch automatically once Windows loads. If you have a new token, use Authenti-Check to gain access to the User Client Console. Open the Token panel. Follow the instructions displayed on the Token panel

Success, User with Symantec Endpoint Encryption Password, SSO Enabled
If you have a Symantec Endpoint Encryption password, the Authenti-Check process ends successfully, and SSO is enabled, a logon assistance success message is displayed.

You should be prompted to change your Windows password before gaining access to Windows. The prompt will vary slightly, depending on the version of Windows you are using and whether or not you are using Novell. Enter your new password into the New password field. Type your password again, in the Confirm password field. Press ENTER. If your password is not valid, Windows displays an error message. Correct your information and press ENTER again.

If your password satisfies all Windows password requirements and if the new password and confirmed password match, your Windows password is changed and you gain access to Windows. The next time you log on in pre-Windows, use the new password. If your Windows account is new or you changed your Windows password quite recently, Windows may stop you from changing your password again because of a minimum password-age restriction.

If this happens, call your help desk. Your system administrator will need to reset your Windows password. If you are a domain user and are not connected to your network, you will not be prompted to change your password. Contact the appropriate administrator to regain your network access.

Success, User with Symantec Endpoint Encryption Password, SSO Not Enabled
If you have a Symantec Endpoint Encryption password, the Authenti-Check process ends successfully, and SSO is not enabled, the Symantec Endpoint Encryption Password Change dialog appears.

Enter a new password in the New password box. Follow any requirements shown on the dialog box for Password length, Symbols allowed, and Include at least. Symbols allowed identifies which of the non-alphanumeric characters on your keyboard may be included in the password.

Include at least displays the number of required symbols, uppercase letters, lowercase letters, and/or digits that your password must contain, if any. Type your new password again, in the Confirm new password box. Click Finish. Your password is submitted.
 

When creating your password, only enter characters that can be typed from the keyboard. Using alternate input methods—such as typing from the ALT+numeric keypad—may create characters that you will not be able to enter in the pre-Windows environment. If you have questions about keyboard use, please ask your Client Administrator.

If the password meets the requirements and the confirmation matches, a Password Change success message appears.

Click OK to dismiss the message. Once your password is changed, Windows loads. If your password is not valid, an error message appears. Re-enter the information and click Finish again.

Failure, OTP Not Enabled
If your Authenti-Check answers are not correct, a message box appears with an error message and instructions on what to do next.

Your instructions may differ from the instructions shown in Figure 4.8 if your Policy Administrator customized them. Click OK. You return to the password Logon screen (Figure 3.4). Call your Client Administrator for help.
 

 




Article URL http://www.symantec.com/docs/TECH187471


Terms of use for this information are found in Legal Notices