Video Screencast Help

SSO and AD synchronization

Created: 26 Aug 2014 | 5 comments

So I have an issue with users changing Active directory passwords outside of the normal process and PGP desktop is not syncing the AD password unless the user logs out of the PC. This approach seems flawed to me as users usually shut down their PC's and they dont typically log off, thus they dont know the password has not synced and they begin locking themselves out.

Is there a way to force Encryption Desktop to sync the password through the command line? I found an article on the website that allows me to change the password through the command line using PGPwde.exe however I dont want the password changed, I just want it to sync with the current AD password.

 

 

Operating Systems:
Discussion Filed Under:

Comments 5 CommentsJump to latest comment

Chetan Savade's picture

Hi,

We always recommend to change the password using Ctrl + Alt + Del 

If you change your password in any other manner—via Domain Controller, the Windows Control Panel, via the system administrator, or from another system—your next login attempt on the PGP BootGuard screen will fail. You must then supply your old Windows password. Successful login on the PGP BootGuard screen using your old Windows password then brings up the Windows Login username/password screen. You must then log in successfully using your new Windows password, at which time PGP WDE will synchronize with the new password.

You will have to educate the users if possible.

Refer these articles:

Changing Your Windows Password with PGP WDE With Single Sign-On

http://www.symantec.com/docs/HOWTO79569

How to change/update the SSO passphrase over the PGP WDE command line, if it has not synched with the PGP Bootguard.

http://www.symantec.com/docs/TECH149263

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Abaddon1979's picture

I understand that and had stated so in my post. That is what I am trying to get around because the current setup provides poor value for customers and significantly increases support costs for our organization.

From what you are saying the password never syncs by itself and requires input from the user? I had been in talks with tech support before on this issue and they had informed me the password will sync when the user logs off and does not require the user to log back in to sync.

Please also verify that there is no other way of syncing besides these two options.

Chetan Savade's picture

Yes, inputs are required from the user & I haven't seen any other way to achieve it. Bootguard comes before network driver loads.

You can raise the product enhancement request here: https://www-secure.symantec.com/connect/security/ideas

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mike Ankeny's picture

Per your original query, there is no PGPwde command that will force a sync, it can only change the passphrase.

Synchronization of passphrases will only reliably occur when the user logs into the system using the new passphrase.  When a user changes their Windows password using the ctrl+alt+delete method, Windows effectively logs them back into the system with those new credentials immediately after the change, which syncs the PGP passphrase with the Windows password.  That is what makes this the preferred method.

The synchronization process hooks into that login process.  It will not reliably (if ever) occur with any other method of credential change.  I would suggest either having the users use the ctrl+alt+delete method for changing passphrases, educate them on having to log in through Bootguard once using their old passphrase, or add a logout/login to your current process for changing the Windows password.  Any of these will require some user education, so the second option is most likely the simplest.

Alex_CST's picture

I suggest reducing the heartbeat interval to a much shorter timeframe.  If you have a small number of clients, there will be no real network impact. 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com