search cancel

Client behavior using Authenti-Check, One-Time Password (OTP), and Single Sign On (SSO) off of the Domain

book

Article ID: 151431

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

What is the behavior of a client using Authenti-Check and SSO off the network to reset a password? What is the behavior of a client using OTP and SSO off the network to reset password?

Resolution

Once authenticated with either method, the behavior is identical.

These answers pertain only when SSO is enabled, and includes with and without local accounts. If SSO is enabled and the password-recovery process ends successfully, then the correct Authenti-Check answers have been entered, or the OTP response key has been entered correctly, and has been given to Windows. The Symantec Endpoint Encryption-Full Disk password does not need to be reset, since it is synchronized completely to your Windows Password.

If this is a computer that is routinely off of the Domain, it is expected that the user will have a local account with administrator rights to the computer (or access to one).

At this time, set the Windows Password by following the steps below:
  1. Go to Control Panel> Computer Management> Users, which would allow a new Password to be used for the next login.
    • Note: A regular ctrl-alt-del password command cannot be used. There is no area for the old password. If your computer is not connected to the domain when you are authenticated to Windows, and the user "does not have a local account", the Windows Change Password screen does not appear during the Windows session, even if the computer later connects to the domain. Access however, is granted to Windows because the password-recovery process was completed correctly.

  2. The next time the computer boots, there will be a prompt to enter the Symantec Endpoint Encryption password in pre-Windows.
    The old (forgotten and unchanged) Windows password is still synchronized as the Symantec Endpoint Encryption password.
  3. Use Login Assistance if the password is unknown.
  4. If the computer is connected to the domain at that time, then the Windows Change Password screen will appear upon successful completion of the Login Assistance process (with the old password automatically filled in), and the password can be changed during the next Windows session.