This article details an issue with a third-party software network driver and the Single Sign-on feature of PGP Whole Disk Encryption.

On a PGP Whole Disk Encrypted system using the Single Sign-On feature, after changing your Windows password, the new password is not synchronized to the PGP BootGuard. The old passphrase is still required at the PGP BootGuard screen and will not log into Windows until you enter your new Windows password.

This issue pertains to PGP Whole Disk Encrypted systems using the Single Sign-On feature only. This issue can be caused by an incompatibility between PGP Desktop and the Juniper Odyssey Access Client.

This occurs when the Juniper Odyssey Access Client driver connection is placed before PGP Desktop in the Network Provider Order. If the Juniper Odyssey Access Client driver is placed before the PGP entry in the Network Provider Order, it causes the PGP BootGuard passphrase to not be synchronized properly with Windows password updates.

The Provider Order in the Advanced Settings of Network Connections determines how the system accesses information on a network.

Note:The Single Sign-On feature may also be affected by other third-party software network drivers in the Network Provider Order. The following steps can also be used to troubleshoot authentication issues.

This article applies to versions PGP Desktop 9.6.x and above.

This issue is resolved by changing the order of the connection for PGP Desktop in the Network Providers list. This can be accomplished by editing the PGP Desktop msi installer or changing the order in the Windows Network Connections properties.

To set the order during installation using the .msi switch:

Use the PGP_SET_HWORDER=1 command to place PGPpwflt in the first of the list. For example, run the .msi installation file using the following command:

msiexec /i pgpdesktop.msi PGP_SET_HWORDER=1

To set the order in the Windows Network Connections properties:

Use the steps below to place the connection for PGP Desktop above the Intel Wireless connection in the Network Providers list.

Windows XP

1. Right-click My Network Places and select Properties. or click Start>Control Panel and then double-click Network Connections.
2. Click the Advanced Menu and then select Advanced Settings.
3. Click the Provider Order tab.
4. Under Network Providers, select the PGPpwflt entry, and click the Up arrow to move the PGP connection above the Intel or other third-party connections in the list.
5. Click OK to apply the changes.

Windows Vista & Windows 7

1. Click Start>Network.
2. Select Network and Sharing Center.
3. From the Tasks panel, click Manage network connections.
4. Highlight your Local Area Connection.
5. Click Advanced>Advanced Settings.
   
   Note:If the Advanced menu is not displayed, press ALT and the Advanced menu bar appears. Windows Vista may prompt your for your permission to continue.
    
6. Select the Provider Order tab.
7. Click the entry PGPpwflt.
8. Click the up arrow to move PGP above other third-party connections.
9. Click OK to apply the settings.

Note: Changing this setting re-synchronize the passphrase with the Windows password that has not been synchronized. To synchronize the user, log out from Windows and log back in with new password. Afterwards restart the computer and try the new password at the PGP BootGuard screen.

Alternate method for Windows 7 if the above does not work.

1. Go to Start.
2. Type "view network connections" in the search box and then click on that selection.
3. Press the "ALT" button and click on Advanced > Advanced Settings (or Advance Connections).
4. Click on the "Provider Order" tab.
5. Click on the PGPpwflt.
6. Click the up arrow to move the PGPpwflt above other third-party connections.
7. Click "OK" to apply the settings.

You can also change the Single Sign-On passphrase using the pgpwde Command Line tool. Refer to the following article: http://www.symantec.com/docs/TECH149263