PGP Desktop (Symantec Encryption Desktop) has the ability to encrypt the entire drive, sector-by-sector and provides world-class drive encryption. In order to boot a system up, the preboot screen must first be authenticated by registered users. Once the preboot screen is authenticated, the system will boot up.
Depending on the type of user used to authenticate, the system may automatically login to the user's Windows profile or may not.
This article will cover how Single Sign-On will work in these various scenarios.
Note: The Single Sign-On feature is a useful feature that can be leveraged to enforce PGP Desktop's passphrase quality alignment with your corporate passphrase quality requirements.
This article will cover several scenarios for Drive Encryption and Single Sign-On:
There are three options for Single Sign-On:
Allow - Lets your users decide whether or not to use SSO.
Force - Requires them to use SSO.
Deny - Prevents them from using SSO.
To enable this, login to the PGP Server and find the Consumer policy the user is associated to.
If you're not sure which policy the user belongs to, find the user in Consumers, Users, then Internal Users, and click on the user.
Then expand the user and click on Groups to see the Effective Group Policy.
In this test, we have a user called "Bobby":
As you can see, Bobby is part of a group called "Everyone". Click on Everyone, and you will be taken to the group.
Then you'll see the Consumer Policy associated to the user.
In this scenario, you'll see "Default" is listed, click it to be taken to the actual consumer policy for this user:
Click on the "Desktop" settings, then Drive Encryption to review the settings:
Once you are here you'll see the options available. For this scenario, we will be looking at the "Force" option:
When you select this option and save, the first time a PGP user encrypts the disk, the following screen will pop up:
Clicking Next, the user is then "Forced" to enter their Windows password:
If the user enters a non-windows password above, they will receive an authentication error until the proper Windows password is entered.
This password will be used to register the user for the Preboot experience.
Once the proper password is entered, the user will then see Drive Encryption start on the system:
When the user reboots, the user will be prompted to enter the passphrase. Since we chose "Force" in this scenario, only the Windows passphrase will be accepted.
Once authenticated successfully, the system boots up, and the user is automatically logged in to their Windows profile.
Important Note 1: When the user's Windows password changes per password rotation policy, this will be automatically synchronized to the Preboot so the new password can be used at preboot.
When the user enters the new password, this will subsequently allow automatic login to the Windows profile.
Important Note 2: If you wish to have the password automatically synchronized when the user changes their password per the organizations password-rotation policy, but you do *not* wish to have the system automatically logged in to their Windows account, this automatic Sign-On functionality can be disabled with the user of a parameter called "DISABLEWDESSO".
When the DISABLEWDESSO option is enabled, when the user changes their password, this will be synchronized to the preboot screen, but the boot process will stop at the Windows Login screen.
The user then enters their Windows password to login. This means the user will need to enter their password twice after preboot.
For more information on this DISABLEWDESSO functionality, see the following article
If you do a listing of the user via the command line, you will see there is an "S" marker next to the account, indicating "SSO":
Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired. Then the existing user account for the user must be deleted.
Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected. The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.
To enable this, see "Experience 1" above for the basic flow, and then select the option to "Deny"
When Deny is used, the following screen will pop up for the user:
The username is not displayed at this stage, but it will, indeed, register "Bobby" for this scenario.
Bobby can then enter any passphrase desired (even Bobby's existing Windows password).
The drive will start encrypting once accepted:
Once Authentication is successful at the preboot screen, the machine will boot up, but the user will *not* be automatically logged in to the Windows profile.
Important Note: When the user's Windows password changes per password rotation policy, this will *not* automatically synchronize to the Preboot screen.
The the old/existing password must be entered at the preboot screen before it will boot up. The user will then need to manually change the password if desired.
Because the password is not automatically rotated, "User Experience 1 - Force" is recommended so that users will have only Single Sign-On experience for ease of use and automatic password synchronization.
When listing the user via the command line, you can see there is no SSO option listed next to the account, indicating this is a "password-only" account:
Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired. Then the existing user account for the user must be deleted. Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected. The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.
The above two options, Deny and Force, will force the user into one method of preboot password management or the other. The "Allow" option lets the user choose which option they want to use.
The policy on the PGP server can be configured to Allow, and then users will have the ability to do one or the other, however, the "SSO" option is favored as you will see:
When Drive Encryption beings, the user will see the following screen.
The difference with Allow, is the user can choose to close the "Create Single Sign On User" dialog box:
When the user closes the "Create Single Sign On User" dialogue box, the "Password Only" option appears:
The user may not realize that both of these options can be chosen initially, so this happens only when the first screen for SSO is declined and closed and then this window will appear.
Depending on which option the user goes with, the preboot behavior will then follow as specified in the User Experiences 1 and 2 above.
Changing SSO Options:
If the you later decide you want to change from a SSO User or Passphrase user, you will first change the policy the option desired. Then the existing user account for the user must be deleted. Once the PGP Desktop services are restarted, the user will be prompted to create a new account for that specific option selected. The reason the initial account must be deleted is the same username cannot be registered in PGP Desktop.
Troubleshooting:
Scenario: The user is able to authenticate at BootGuard; however, the user is unable to authenticate at windows.
After authenticating at BootGuard, the Windows login screen presents two options: "PGP SSO" and "Other User".
When the user attempts to login with "Other User", they receive an invalid credential error.
Potential Cause 1: The user created an invalid passphrase or SSO User in PGP Encryption Encryption. As a result, the user is unable to log in to Windows. The user may not remember their username, as it is often pre-filled, and they only need to enter their password to login.
Potential Cause 2: If the user does not recall their Windows username, they will be unable to log in. The only logon options presented are "PGP SSO" and "Other User", which requires the Windows username and password to be entered.
Potential Cause 3: The user may not have a Windows password, and previously may not have had to authenticate to the Windows login screen.
Potential Cause 4: The "SSO User" may have been mistakenly created within Symantec Encryption Desktop by the user instead of creating a passphrase user.
Solutions:
Solution 1: If you see the "PGPSSO" login screen, click "User Other Account" and enter the credentials.
Once you login, the new password (if applicable), will synchronize to the preboot screen.
Solution 2: If your credentials are not accepted at Preboot, try entering the old one. It may have not synchronized if you did not change your password using "CTRL+ALT+DEL" (Out of Band Password Change).
Solution 3: Have the user authenticate at BootGuard with their Whole Disk Recovery Token (WDRT). Once they login to their profile in Windows, this will synchronize to the Preboot screen.
Note: If you change the Single Sign-On setting on a group policy or re-assign a user to a new policy with a different setting, the change is not reflected on the user's end. Users continue to sign in once or more than once, based on the original Single Sign-On setting for their group.
Note: If you choose to prevent Single Sign-On, silent enrollment is disabled, even if the Enable Silent Enrollment feature (on the General tab of the Symantec Encryption Desktop section) is enabled.