Access Denied Notifications appear using Smartcards, PIV cards, or Tokens using Symantec FileShare Encryption

Article:TECH203564  |  Created: 2013-03-06  |  Updated: 2013-03-06  |  Article URL http://www.symantec.com/docs/TECH203564
Article Type
Technical Solution


Issue



Symantec FileShare Encryption (Formerly known as PGP NetShare Encryption) allows the use of Smartcards, PIV cards, or Tokens with the appropriate encryption keys included on the devices.  When accessing a file/folder that has been encrypted with Symantec FileShare Encryption, and the user fails to enter his/her PIN/passphrase during the initial authentication, an error "Access Denied" will appear.  Upon subsequent attempts to access this share, The Access Denied error will continue to appear for that Windows session unless the user chooses "unlock" from the FileShare Encryption properties tab, which is a manual process.

 

In order to be prompted for the PIN/passphrase again, the user would need to logout of Windows and log back in, or go to the properties of the encrypted file/folder, click on the FileShare tab, and click "Unlock" to enter the PIN/passphrase again.

 


Cause



This behavior is by design and operates in this manner under default conditions.

 


Solution



It is possible to configure a preference on the Symantec Encryption Management Server (SEMS) that will prevent this prompt.

 

Once this preference has been configured, after 20 seconds has lapsed of getting denied, the user will be prompted for the PIN/passphrase again and can simply re-enter to access the encrypted file/folder. 

 

In other words, if the user fails to enter his/her PIN/passphrase for the Smartcard, PIV card, or token the first time, waiting 20 seconds and accessing the share again will cause Symantec FileShare Encryption to prompt the user again and will not produce the "Access Denied" popup once the correct PIN/passphrase has been entered.

 

 

Configuring the Preference

 

1. Login to SEMS and go to the policy the user is a managed by.
2. Go to General and click the "Edit Preferences" button.
3. Choose "Set" and for the pref name, enter:


trayResetNetshareSkipListOnTokenInsertion

4. For the Type, enter:


Boolean

5. For the value, enter:


true

6. Save these settings and then update policy on the client-side and re-test.

7. Access the share, and fail to enter the PIN/passphrase properly and the "Access Denied" should be displayed.

8. Wait 20 seconds and you will then be prompted again for the PIN once you access the share without the need of using the "Unlock" feature in file/folder properties using the FileShare tab.

 


Supplemental Materials

SourceETrack
Value2935438


Article URL http://www.symantec.com/docs/TECH203564


Terms of use for this information are found in Legal Notices