search cancel

Single Sign On (SSO) and Graphical Interface Network Authentication (GINA) in Symantec Endpoint Encryption (SEE)


Article ID: 151452


Updated On:


Endpoint Encryption


How do SSO and GINA work with SEE?



Installing the Symantec Endpoint Encryption Data Protection Platform Framework client installs a Graphical Interface Network Authentication (GINA). This is always installed whether Single Sign On (SSO) is chosen by policy or not.

The Symantec Endpoint Encryption-Full Disk GINA dll is named "EAFRCliGina" and can be found in the Windows registry under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

There should also be an entry for the next program in the GINA chain, which is usually the Windows MSGINA.dll but could be another app (nwgina for Novell would be an example):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\PrevEAFRGinaDLL

Since Single Sign On (SSO) is turned OFF or ON by User policy, not Computer policy. In other words, SSO can be ON or OFF on a user by user basis. To implement this, the GINA always loads to determine which users should be authenticated into Windows, and which users should be passed on to the default GINA (MSGINA.DLL)

As the SSO design implies, you can use SSO domain-wide, but build a policy that turns SSO OFF for certain users who cannot or should not be automatically logged into Windows. The converse is also true. SSO may be turned OFF domain wide, but enabled for a small number of users that meet all the security requirements for being signed on to Windows when logging onto Symantec Endpoint Encryption.