Users Logging into Multiple Encrypted Systems Using the Single Sign-On Feature May Experience Issues with Password Synchronization

book

Article ID: 156527

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

When logging into multiple systems encrypted with PGP Whole Disk Encryption and using the Single Sign-On feature, you may experience issues with password synchronization.

Cause

This is a timing issue with how a Windows client synchronizes a user's domain credentials with the Domain Controller.

In order to boot a machine, a PGP passphrase must be authenticated. A feature called Single Sign-On will use the same password for the Windows login, so that once a user enters his/her passphrase at PGP BootGuard, the system will automatically login to that same user profile in Windows with this associated passphrase.
Users logging into a machine that is joined to a Domain (managed by a Domain Controller), login to a domain profile, and are typically authenticated by the Domain Controller which will allow the login to occur. 
When users login to their Windows profile on a system managed by the Domain Controller, the credentials can be cached locally on the Windows client.  This is designed behavior by Microsoft to allow users who are not able to contact the Domain Controller (not connected to the local network), to still be able to login to their Windows domain profile.  Users get authenticated against the locally cached Windows credentials first, and then when connectivity is available to the Domain Controller, Windows will ensure the password to the domain controller is still valid.
If a user changes his/her password in Windows, an event is raised with a local service driver, authority.dll. This driver accepts password change events and takes this information and updates the locally cached password and what is stored in the domain controller. In this way, the user’s password is synchronized with the Domain Controller for the user automatically.
When this same user logs in to a second machine, they use their credentials stored in that system's local cache.  The second machine will still have the old password in both PGP Bootguard and the Windows registry, but the new password is known by the Domain Controller.  Once the Windows system has contacted the Domain Controller, a pop-up box in top right corner will appear stating, “Windows needs your credentials. Lock and unlock to get your current password”. This process will ensure the new password for the user is now synchronized to both Windows systems. If the user logs out and logs back in with new password, windows will then authenticate the credentials against the local cache and then update the password in PGP Bootguard.
NOTE: After changing the Windows password during this special event stated above, unless the user logs out of the Windows profile and logs back in, PGP BootGuard will require the old Windows password to boot the machine. Once the user logs in to Windows the second time, the PGP Whole Disk passphrase will then be updated to PGP BootGuard, and will then use the new passphrase. At this time, the Windows password and the PGP Whole Disk passphrase will be synchronized.

Resolution

If a user has two computers and the passphrase has been changed on one computer, once the user logs in to the other computer, wait for the “Windows needs your credentials” prompt to synchronize the Windows password so both computers will then have the same Windows password for the domain managed computer. Next, have the user logoff the machine, and log back on. This will cause the PGP Password filter drive to then synchronize to the PGP BootGuard.


Applies To

PGP BootGuard—PGP Whole Disk Encryption’s pre-boot environment.