Video Screencast Help

PGP Universal Server 3.2 Defaults to "Detailed Authentication" for WDE

Created: 03 Aug 2011 | 8 comments

This is not a good thing.  If something is going to change I'd like to be aware of it in advance.  Having never set a username up I wasn't sure what it was looking for.  Just so you know, it's case sensitive on usernames.  There is also the issue of the administrative UI not working on IE.  Very frustrated with this release so far.

Derek

Comments 8 CommentsJump to latest comment

PGP_Ben's picture

In our release notes it states that users will now have the option to login with username AND password AND domain at bootguard. 

http://www.symantec.com/business/support/index?page=content&id=DOC4562&actp=search&viewlocale=en_US&searchid=1312486714315

What issue with the administrative UI not working in IE? What version of IE are you using? I'm using IE8 and IE9 and they both work for me.

thanks

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Derek Tonkin's picture

That's all well and good.  I knew that the feature had been added but I didn't know that it would be turned on by default.  Generally speaking I would expect that major changes to the authentication method would be opt-in, not opt-out.  Furthermore, by defaulting to "on", it locked me out of my own machine where I upgraded the client.  When I restarted I was prompted for a username which I had not set up and was only offered the local machine as a domain eventhough I was connected to the network.  Only after using a recovery token to log-in and going through the steps to reset the passphrase was I prompted to associate a username with my passphrase.  Then after restarting I was able to select our domain finally and log in.  So if you upgrade a system, create a new client installer, use it to upgrade a client and restart you cannot log in without a WDRT.  That's bad enough but the same thing happened on the system that I updated using the push notification, that's really bad.  If I'd deployed this I would have bricked over 1000 computers and probably had my employment in jeopardy.  The release notes need to specifically state "This new functionality is on by default and will change the way users authenticate to their machines".

With regards to IE, when I try to pull up a WDRT in IE 9 the pop-up that opens is at the login screen and entering my credentials only brings up the frontpage of the admin.  I've already submitted a ticket for this and had it acknowledged as an issue.

dbrowning's picture

I am getting the same issue with Firefox 5.  But if i use IE 6 (i know way outdated but needed for us) it works fine.

PGP_Ben's picture

We have seen these issues on other clients after the upgrade. The solution is usually to close out all browser windows after updating your server and then clear out your cookies and internet cache and then login to the server again. This has to do with a cookie and authentication token that was cached.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

jadls's picture

where can I download the universal server 3.2?

I try in https://fileconnect.symantec.com/dispatch but is no available..

Your help is greatly appreciate

Tom Mc's picture

This PDF should help with the download process.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Sarah Mays's picture

I see Derek's point... this could cause a problem when deploying the server update in production, can administrators be 'fast' enough to disable this feature so no end user's get locked out?

i'm thinking there needs to be a change how PGP implements new features and when upgrading consumer policies it needs to make the default behaviors the 'old' way. Then let the administrators change that feature at will.

Considering the only control we have is to turn off services immediately after upgrading, in those milliseconds it takes to navigate to that page to stop all services, clients could receive the policy update before we have the time to correct this configuration error.

PGP_Ben's picture

I will provide feedback to engineering that this option needs to be disabled by default. But, in the end, support is left with whatever the software's default behavior is. I agree with Sarah's point as well. Which is why I will be submitting that feedback.

Just so that we are all on the same page and for others reading this forum article. You can disable the "advanced authentication mechanism" with PGP Bootguard through your Consumer Policies on the PGP Universal Server by clicking on the policy that you wish to edit. Then going to PGP Desktop options. Then to the "Disk Encryption" tab. Look for the section titled: WDE BootGuard Customization. There are your options for enabling simple authentication (like it was in previous 10.x versions).  The default is to have advanced authentication enabled.

I will be filing a bug report to request that the simple authentication method be chosen by default.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.