If a Web Email Protection or PDF Email Protection user cannot remember their passphrase, they can click on the I lost my passphrase link on the Web Email Protection portal login page.

The Reset Passphrase dialog is then displayed and the user can enter their email address.

Encryption Management Server will then send them an email message with, by default, the Subject Symantec Encryption Server Passphrase Reset. By default, the message contains the following text where the URL directs them to the Web Email Protection portal and includes a unique, single use password reset token:

You can reset your passphrase by clicking on the following URL:

https://keys.example.com/b/rp.e?rid=NAWYOEXYH4TM4YAPPS456VSM2E

However, when the user clicks on the link, the Web Email Protection portal displays the following error message and once again displays the Reset Passphrase dialog. If the user enters their email address they are sent another password reset token which fails; the user is stuck in a loop, unable to reset their passphrase:

If the user's email was [email protected] and they received this reset passphrase URL:

https://keys.example.com/b/rp.e?rid=NAWYOEXYH4TM4YAPPS456VSM2E

then the Web Email Protection log under Reporting / Logs would show something similar to the following. Note that the passphrase recovery token is passed to the Web Email Protection portal four times but an analysis of the IP addresses confirms that only the last of these attempts was made by the end user. The three attempts that preceded it were made by the URL protection product (in this example, Mimecast Targeted Threat Protection – URL Protect) and since the protection product passes the URL unaltered to Web Email Protection, it invalidates the token:

2017/09/14 14:16:50 +01:00  NOTICE pgp/wm[2002]: Received recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:50 +01:00  NOTICE pgp/wm[2002]: Token [NAWYOEXYH4TM4YAPPS456VSM2E] is good, applies to user [[email protected]], removing token so it cannot be used again
2017/09/14 14:16:50 +01:00  NOTICE pgp/wm[2002]: Received recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:50 +01:00  NOTICE pgp/wm[2002]: Could not find user for recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:52 +01:00  NOTICE pgp/wm[2002]: Received recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:52 +01:00  NOTICE pgp/wm[2002]: Could not find user for recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:54 +01:00  NOTICE pgp/wm[2002]: Received recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]
2017/09/14 14:16:54 +01:00  NOTICE pgp/wm[2002]: Could not find user for recovery token [NAWYOEXYH4TM4YAPPS456VSM2E]

• Encryption Management Server 3.4.1 MP2 HF2 and below with the Web Email Protection service enabled.
• Web Email Protection user whose organization uses a URL protection product that rewrites the URLs contained in email messages. 

The Web Email Protection user's organization is using a URL protection product that rewrites URLs in email messages that users receive.

Mimecast Targeted Threat Protection – URL Protect is one such product and it has been shown to prevent Web Email Protection users from being able to reset their passphrases.

Similar URL protection products may cause similar problems. However, not all protection products work the same way.  For example, the Symantec Click-time URL Protection service in Symantec Advanced Threat Protection does not appear to cause this problem because it alters the URL before passing it to Web Email Protection.

Upgrade to Encryption Management Server 3.4.2 or above because the passphrase recovery token processing logic was modified in release 3.4.2 in order to prevent this issue occurring. In release 3.4.2, the passphrase recovery token is not cleared until the Web Email Protection user enters and confirms their new passphrase and clicks on the Continue button. This should stop URL protection products from using up the single use passphrase recovery token.

The affected users should work with their IT support to access the passphrase reset link directly from their web browser. This may involve, for example, opening Windows Notepad, copying and pasting the URL from the email message into Notepad then copying and pasting from Notepad into a web browser.

Alternatively, the administrator of the URL protection product can usually "whitelist" domains or URLs. In the case of Mimecast Targeted Threat Protection the administrator can open this Targeted Threat Protection - URL Protect article and follow the link to this article that describes how to add a Managed URL or Domain. A domain or URL can be permitted and rewriting of the URL can be disabled. If, for example, the domain of the Web Email Protection portal is permitted and rewriting is disabled, the URL in the Symantec Encryption Server Passphrase Reset email will not be rewritten and will work as designed.

153269 - Symantec Encryption Management Server Web Email Protection Troubleshooting