Video Screencast Help

Single Sign-On and Forgot Passphrase

Created: 18 Nov 2013 | 2 comments

I am currently testing out Symantec Encryption Desktop 10.3.1 with Symantec Encryption Server 3.3.1. I have created a specific Symantec Drive Encryption policy on the server and have downloaded the client with that policy embedded in it. I have installed the downloaded client on a single Dell XPS laptop that is in a workgroup (not a part of any domain). I have the disk encrypted with a single user, single sign-on enabled, and security recover questions configured. 

When I click "forgot passphrase" at the BootGuard screen, I enter the answers to the security questions and the PC starts. The PC starts and goes straight to the windows log-in screen. My question is how can the user log on to windows if they have truly forgotten their password? Shouldn’t single sign-on still work and take the user straight into windows so that user can reset their password? Is this a limitation of Symantec Drive Encryption and Single Sign-On or is there something wrong with my configuration?

Operating Systems:

Comments 2 CommentsJump to latest comment

Alex_CST's picture

This isn't a fault with your configuration, it's the way its supposed to work.  The security questions get you past the bootguard authentication, nothing more.  It's not down to the product to do anything more.  SSO is a way of making login easier, but the questions are for bootguard only.  

You can just login as an administrator or if you're tech savvy just use chntpw on a linux liveCD/USB or ntpasswd

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

vaibhav_jain1's picture

Your configuration is correct.

SSO will not work if the user authenticates at the BG using WDRT/admin passphrase or LSR.

This is because PGP does not store the user passphrase in encrypted or cleartext form on the machine which might be considered a security risk my many.

PGP will pass on the credentials to login to Windows using SSO only when the password is provided by the user.

Changing/Resetting  the Windows password is solely the responsibility of AD Admin or the User(in case of unmanaged) environment. Once you reset the Windows password, PGP will sync it for you so that you can again authenticate at the BG using the same.