How to use Symantec Endpoint Encryption Full Disk One Time Password (OTP) to reset client machine password.

book

Article ID: 156388

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Unable to log in to Windows because you forgot the password or you need to change the password.

If you are recovering from a forgotten password, you will be prompted to enter a new password when Windows loads. Contact your Policy Administrator before you begin.
 

 

Resolution

 

One-Time Password
 
Basics
 
The One-Time Password (OTP) Program allows you to obtain: Logon assistance for a forgotten password, PIN, or token, and/or Computer lockout assistance, if allowed by policy.
 
OTP provides you with a one-time password—known as a response key—that allows you to authenticate temporarily. If you are recovering from a forgotten password, you will be prompted to enter a new password when Windows loads. Make contact with your Policy Administrator before you begin.
 
Method Selection
 
First, you will be prompted to select your OTP method.
 
 
Figure 4.10—Pre-Windows Assistance, OTP Method Selection
 
Accept the default selection unless you are advised otherwise by your Policy Administrator and click Next.
 
Method 1) Online Method
 
If Online was selected, the One-Time Password screen appears, with the Account name, Account domain, and Computer name fields displaying your Symantec Endpoint Encryption user name, domain, and computer name, respectively. In addition, a Code is displayed. The response key fields are blank. Tell the Policy Administrator the Account name, Account domain, Computer name, and Code information displayed in your window. The Policy Administrator will then provide the response key.
 
 
Figure 4.11—Pre-Windows Assistance, OTP Online
 
Type the response key numbers into the fields on your screen. Enter the numbers in sequence, from left to right and top to bottom. After you have entered the response key numbers, the Policy Administrator may ask you to provide the checksums that appear to the bottom-right of each data-entry field. These checksums confirm that you have entered the numbers correctly. A matching checksum quickly verifies that all of the digits from the first box up to and including the box with the checksum you are confirming are correct.
 
Figure 4.11 shows an example with callouts that identify a response key number and a checksum number. If the Policy Administrator confirms that the numbers you entered are correct, click NextThe Policy Administrator will ask you if the method succeeded or failed. If the online method fails, you will begin the offline method. Skip to the next section. If the online method succeeds, the subsequent steps will differ according to whether you requested assistance for missing credentials or to recover from a lockout condition.
 
If you were missing your credentials, refer to the section that matches your authentication method:
 “Token-Only User”
 “User with Symantec Endpoint Encryption Password, SSO Enabled” on page
 “User with Symantec Endpoint Encryption Password, SSO Not Enabled”
 
If you were locked out of your computer for a failure to communicate, the Windows logon will be displayed.
 
Response
Key
Checksum
Number
 
Method 2) Offline Method
 
The One-Time Password challenge/response key screen launches.
 
 
Figure 4.12—Pre-Windows Assistance, OTP Offline
 
Tell your Policy Administrator the Personal identifier that is displayed on your window. The Policy Administrator will ask you to tell him or her the challenge key numbers. Provide the numbers from left to right and top to bottom. The Policy Administrator may ask you to provide the checksums that appear to the bottomright of each data-entry field. These checksums confirm that the Policy Administrator has correctly entered the numbers you have provided.
 
A matching checksum quickly verifies that all of the digits from the first box up to and including the box with the checksum you are confirming guarantees that all of the digits up to that box are correct. The Policy Administrator will then provide the response key. Type the response key numbers into the blank fields on your screen. Enter the numbers in sequence, from left to right and top to bottom. After you have entered the response key numbers, the Policy Administrator may ask you to provide the checksums that appear to the bottom-right of each data-entry field. These checksums confirm that you have entered the numbers correctly. As with the challenge key verification, a matching checksum quickly verifies that all of the digits from the first box up to and including the box with the checksum you are confirming are correct.
 
Figure 4.12 shows an example with callouts that identify a response key number and a checksum number. If the Policy Administrator confirms that the numbers you entered are correct, click Next. The Policy Administrator will ask you if the method succeeded or failed. If the method failed, your Policy Administrator may ask you to try the method again.
 
Response
Key
Checksum
Number
 
If you are using the offline method, after you click Next on the final screen, the subsequent steps will differ according to whether you requested assistance for missing credentials or to recover from a lockout condition. If you were missing your credentials, refer to the section that matches your authentication method:
 
 “Token-Only User”
 “User with Symantec Endpoint Encryption Password, SSO Enabled”
 “User with Symantec Endpoint Encryption Password, SSO Not Enabled”
 
If you were locked out of your computer for a failure to communicate, the Windows logon will be displayed.
 
Success for Missing Credentials
 
Token-Only User
 
If the OTP process ends successfully and SSO is enabled, Windows will proceed to load. If SSO is not enabled, you
are prompted to authenticate to Windows. Once Windows loads, the User Client Console will launch. If you have a new token, use Authenti-Check to gain
access to the User Client Console. Then open the Token panel to update your account with the new token.
 
User with Symantec Endpoint Encryption Password, SSO Enabled
 
If the OTP process ends successfully and SSO is enabled, Windows proceeds to load. The message shown in Figure 4.13 appears:
 
 
Figure 4.13—Pre-Windows Logon Assistance, SSO Password Change Success
 
You should be prompted to change your Windows password before gaining access to Windows. The prompt will vary slightly, depending on the version of Windows you are using and whether or not you are using Novell. Type and confirm your new password, then submit the information.
 
If your password is not valid, an error message will be displayed. Correct your information and submit it again.
If your password satisfies all Windows password requirements and if the new password and confirmed password match, your Windows password is changed and you gain access to Windows. Symantec Endpoint Encryption then displays a message informing you that your Windows password and your Symantec Endpoint Encryption password have been automatically synchronized.
 
  
Figure 4.14—Single Sign-On Password Synchronization for Windows
 
The next time you log on in pre-Windows, use the new password. If your Windows account is new or you changed your Windows password quite recently, Windows may stop you
from changing your password again because of a minimum password-age restriction. If this happens, call your help desk. Your system administrator will need to reset your Windows password. If you are a domain user and are not connected to your network, you will not be prompted to change your password.
Contact the appropriate administrator to regain your network access.
 
User with Symantec Endpoint Encryption Password, SSO Not Enabled If your OTP process ends successfully and SSO is not enabled, the Symantec Endpoint Encryption Password
Change dialog appears.
 
 
Figure 4.15—Symantec Endpoint Encryption Password Change Prompt
 
Enter a new password in the New password field. Follow any requirements shown on the dialog box for Password
length, Symbols allowed, and Include at least. Symbols allowed identifies which of the non-alphanumeric characters on your keyboard may be included in the
password. Include at least displays the number of required symbols, uppercase letters, lowercase letters, and/or digits that your password must contain, if any.
 
Type your new password again in the Confirm new password field. Click Finish. Your password is submitted.
 
If your password is not valid, an error message appears. Re-enter the information and click Finish again.
If the password meets the requirements and the confirmation matches, a password-change success message appears.
 
 
Figure 4.16—Symantec Endpoint Encryption Password Change Success
 
Once your password is changed, Windows loads.

Applies To

SEE Full Disk 8.x and above

Attachments