Troubleshooting: Symantec Drive Encryption Single Sign-On
search cancel

Troubleshooting: Symantec Drive Encryption Single Sign-On

book

Article ID: 153490

calendar_today

Updated On:

Products

File Share Encryption Gateway Email Encryption Policy Based Encryption Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article details general troubleshooting steps when using the Single Sign-On (SSO) feature of Symantec Drive Encryption.

In order for the Windows password to synchronize with Symantec Drive Encryption automatically, use CTRL+ALT+DEL.  If you change the passphrase outside of CTRL+ALT+DEL, it will be necessary to use the old passphrase at preboot one time, and upon logging in with the new passphrase, synchronization will occur.  For more information on how to change the passphrase, see the following article:

181178 - Changing Your Windows Password with Symantec Drive Encryption 10.4 or Symantec Endpoint Encryption 11 Single Sign-On


Symantec Endpoint Encryption 11 synchronization issues are typically encountered during user registration.  For information on how to troubleshoot user registration issues for SEE 11, see the following article:

163588 - Troubleshooting: User Registration and Single Sign-on with Symantec Endpoint Encryption

Cause

SSO issues can be caused by the following:

  • PGP Network Provider Order Connection
  • Group Policy for Windows Logon Setting
  • Interactive Logon: Do Not require CTRL+ALT+DEL
  • Intel PROSet Wireless utility causing Null user authentication issues
  • USB Disk or SD card inserted
  • Compression of the file system (using Windows File Compression)
  • PGPWDE01 file permission 

Resolution

You can verify that you are using an SSO user account for authentication by checking the registry where the MSI options supplied at installation.  Information on this topic can be reviewed in the following article:

171110 - Disabling Encryption Desktop functionality using msiexec switches

 

When validating the registry options make sure that the PGP_INSTALL_SSO option is set to 1 indicating that the driver is installed.

See the following example:

Also you will notice the user in the Symantec Drive Encryption user list under PGP Disk > Encrypt a disk or partition after selecting the boot drive.

The Single Sign-On (SSO) feature allows you to use your existing Windows passphrase for authentication to your Symantec Encrypted drive and automatically log you into Windows.

The Single Sign-On feature utilizes one of the methods Microsoft Windows provides for customizing the Windows login experience. Drive Encryption uses your configured authentication information to dynamically create specific registry entries when you attempt to log in.

Use the following steps to troubleshoot Single Sign-On:

Validate that the user is a SSO user using the pgpwde command line tool.

  1. Open up a Windows Command Prompt.
  2. Change to the correct Program Files directory for the operating system.

    For 32-bit Operating Systems:

    Type in cd C:\Program Files\PGP Corporation\PGP Desktop\

    For 64-bit Operating Systems:

    Type in cd C:\Program Files \PGP Corporation\PGP Desktop\
     
  3. Verify the user by using the pgpwde --list-users command:
    pgpwde --list-users --disk 0
     
  4. You should see something similar to this.
     


 

Solution 1: Windows 10 Upgrades

If systems installed with Symantec Drive Encryption have recently performed a major upgrade of Windows 10, the password filter can sometimes get unregistered causing passphrase synchronization to fail.  To avoid this issue, a post upgrade script can be used so that after Windows has successfully been upgraded, the password filter can be re-registered.  The following articles can help with Automatic Windows Upgrades:

179262 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Encryption Desktop 10 (PGP Desktop)

179265 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Endpoint Encryption 11.x (SEE)

 

Solution 2: Confirm Network Provider List Order for PGP Password Filter

In some cases, other third party Network provider connections may interfere with the Single Sign-On feature.  Try moving the PGP Network Provider connection above other third-party connections in the Network Provider Order. Use the steps below for your operating system.

Windows Vista & Windows 7 & Windows 8 & Windows 10

  1. Click Start > Network.
  2. Select Network and Sharing Center.
  3. From the Tasks panel, click Manage network connections.
  4. Highlight your Local Area Connection.
  5. Click Advanced > Advanced Settings. (If the Advanced menu is not displayed, press ALT and the Advanced menu bar appears. Windows Vista may prompt you for your permission to continue.)
  6. Select the Provider Order tab.
  7. Click the entry PGPpwflt.
  8. Click the up arrow to move PGP above any other third-party connections.
  9. Click OK to apply the settings.

An alternative method is to check the values contained in the ProviderOrder key in these registry locations:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

A typical value for ProviderOrder on a freshly installed machine is as follows. If there are additional entries made by third party applications, it may be worthwhile moving PGPwflt so it is listed before such third party entries:

RDPNP,LanmanWorkstation,webclient,PGPpwflt

TIP: Starting with Windows 10, you can now copy/paste a registry location in the address so you do not have to click your way down to the registry keys.

Network Connections

  1. At the Run field (Windows + R), type: control netconnections
  2. Once Network Connections appears, press the Alt key to display the drop-down menu.
  3. Click the Advanced menu and then select Advanced Settings.
  4. Click the Provider Order tab.
  5. Under Network Providers, select the PGPpwflt entry, and click the Up arrow to move the PGP connection above any other third-party connections in the list.
  6. Click OK to apply the changes.
     

Note: The Provider Order can also be updated on multiple computers by creating a script which updates a PGP Windows Registry value. To use a script to update the value, modify the PGP_SET_HWORDER value from 0 to 1. The PGP_SET_HWORDER value is located in HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP folder (32-bit systems) and KEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PGP Corporation\PGP folder (64-bit systems).


Solution 3: Group Policy for Windows Logon Setting

The PGP WDE Single Sign-On feature can be affected by a Logon setting within a group policy for the computer. Check if enabling the Always wait for the network at computer startup and logon setting in the Logon folder of the Group Policy corrects any SSO issues.

Interactive logon: Do not require CTRL+ALT+DEL
Check if any security settings requiring the user to press CTRL+ALT+DEL before logging on to the system affect the Single Sign-On feature.

Solution 4: SyncSSO.exe

Symantec Encryption has a utility that will allow you to synchronize your password to preboot immediately, even if CTRL+ALT+DEL was not used to change the passphrase.  When the utility is ran, the user enters the current password, and then enters the new password and clicks "OK".  The next reboot, the passphrase will be synchronized.  For more information on this utility, contact Symantec Support.  This utility exists for both Windows 7 and Windows 10.

Solution 5: Intel PROSet/Wireless Software

In some cases, the Single Sign-On password may not synchronize properly due to an incompatibility with certain versions of the Intel PROSet/Wireless software. For Dell computers using version 11.5 of the Intel PROSet/Wireless software, this issue is solved by upgrading the software to version 12 or higher or by uninstalling the software.


Solution 6: USB disk or SD card

If a USB thumb drive or SD card is inserted, a conflict may occur if the USB or SD disk is detected as Disk 0 on the system. Confirm the Windows system disk is Disk 0 in Disk Management. If the USB or SD disk displays as Disk 0, remove the disk, reboot the computer, and then change the Windows password.


Solution 7: Check PGPWDE01 file permissions (only valid with versions 10.1.1 and older)

If the SSO feature fails after changing your Windows password, check the permissions for the PGPWDE01 file located in the root of the C: drive. The Authenticated Users group needs to have Modify permissions for the PGPWDE01 file. If necessary, modify the permissions for the file, logging off and logging back on to Windows will cause the PGP Tray to update the PGPWDE01 file. This may not be possible to view certain permission from the file properties window on more recent versions of the product. File compression on these files could also cause similar issues where we are unable to write back to the file due to known driver limitations.

To check the PGPWDE01 permissions

  1. Open Windows Explorer by pressing Windows + E.

    Note: For Windows Vista & Windows 7, if the Advanced menu is not displayed in Windows Explorer, press ALT to display the Advanced menu. Windows Vista/Windows 7 may prompt you for your permission to continue.
     
  2. Click Tools then select Folder Options.
  3. Click the View tab.
  4. Scroll down and remove the checkmark next to Hide protected operating system files (Recommended).
  5. Click Yes when prompted with the warning then click OK to apply the change.
  6. Browse to the C: drive and locate the PGPWDE01 file.
  7. Right-click the PGPWDE01 file and select Properties.
  8. Click the Security tab and add Authenticated Users with Modify permissions if needed.


Solution 8: Troubleshooting Microsoft Accounts

For more information on troubleshooting Single Sign-On when Microsoft Accounts are in use, see the following article:

159199 - Microsoft Online accounts do not sync password changes with Symantec Drive Encryption Single-Sign-On (SSO) passphrase

 

 

 

Additional Information

ISFR-1459