This article details general troubleshooting steps when using the Single Sign-On (SSO) feature of Symantec Drive Encryption (previously PGP Whole Disk Encryption).
SSO issues can be caused by the following:
- PGPWDE01 file permission
- PGP Network Provider Order Connection
- Group Policy for Windows Logon Setting
- Interactive Logon: Do Not require CTRL+ALT+DEL
- Intel PROSet Wireless utility causing Null user authentication issues
- USB Disk or SD card inserted
- Compression of the file system (using Windows File Compression)
You can verify that you are using a SSO user account for authentication by checking the registry where the MSI options supplied at installation are stored as referenced in this article. When validating the registry options make sure that the PGP_INSTALL_SSO option is set to 1 indicating that the driver is installed.
See the following example:
Also you will notice the user in the Symantec Drive Encryption user list under PGP Disk > Encrypt a disk or partition after selecting the boot drive.
The Single Sign-On (SSO) feature allows you to use your existing Windows passphrase for authentication to your Symantec Encrypted drive and automatically log you into Windows.
The Single Sign-On feature utilizes one of the methods Microsoft Windows provides for customizing the Windows login experience. Drive Encryption uses your configured authentication information to dynamically create specific registry entries when you attempt to log in.
Use the following steps to troubleshoot Single Sign-On:
Validate that the user is a SSO user using the pgpwde command line tool.
- Open up a Windows Command Prompt.
- Change to the correct Program Files directory for the operating system.
For 32-bit Operating Systems:
Type in cd C:\Program Files\PGP Corporation\PGP Desktop\
For 64-bit Operating Systems:
Type in cd C:\Program Files <x86>
\PGP Corporation\PGP Desktop\
- Verify the user by using the pgpwde --list-users command:
pgpwde --list-users --disk 0
- You should see something similar to this.
Solution 1: Check PGPWDE01 file permissions (only valid with versions 10.1.1 and older)
If the SSO feature fails after changing your Windows password, check the permissions for the PGPWDE01 file located in the root of the C: drive. The Authenticated Users group needs to have Modify permissions for the PGPWDE01 file. If necessary, modify the permissions for the file, logging off and logging back on to Windows will cause the PGP Tray to update the PGPWDE01 file. This may not be possible to view certain permission from the file properties window on more recent versions of the product. File compression on these files could also cause similar issues where we are unable to write back to the file due to known driver limitations.
To check the PGPWDE01 permissions
- Open Windows Explorer by pressing Windows + E.
Note: For Windows Vista & Windows 7, if the Advanced menu is not displayed in Windows Explorer, press ALT to display the Advanced menu. Windows Vista/Windows 7 may prompt you for your permission to continue.
- Click Tools then select Folder Options.
- Click the View tab.
- Scroll down and remove the checkmark next to Hide protected operating system files (Recommended).
- Click Yes when prompted with the warning then click OK to apply the change.
- Browse to the C: drive and locate the PGPWDE01 file.
- Right-click the PGPWDE01 file and select Properties.
- Click the Security tab and add Authenticated Users with Modify permissions if needed.
Solution 2: Confirm PGP Network Provider List Order
In some cases, other third party Network provider connections may interfere with the Single Sign-On feature. Try moving the PGP Network Provider connection above other third-party connections in the Network Provider Order. Use the steps below for your operating system.
Windows Vista & Windows 7 & Windows 8 & Windows 10
- Click Start > Network.
- Select Network and Sharing Center.
- From the Tasks panel, click Manage network connections.
- Highlight your Local Area Connection.
- Click Advanced > Advanced Settings. (If the Advanced menu is not displayed, press ALT and the Advanced menu bar appears. Windows Vista may prompt you for your permission to continue.)
- Select the Provider Order tab.
- Click the entry PGPpwflt.
- Click the up arrow to move PGP above any other third-party connections.
- Click OK to apply the settings.
- Right-click My Network Places and select Properties or click Start > Control Panel and then double-click Network Connections.
- Click the Advanced menu and then select Advanced Settings.
- Click the Provider Order tab.
- Under Network Providers, select the PGPpwflt entry, and click the Up arrow to move the PGP connection above any other third-party connections in the list.
- Click OK to apply the changes.
Note: The Provider Order can also be updated on multiple computers by creating a script which updates a PGP Windows Registry value. To use a script to update the value, modify the PGP_SET_HWORDER value from 0 to 1. The PGP_SET_HWORDER value is located in HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP folder (32-bit systems) and KEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PGP Corporation\PGP folder (64-bit systems).
Solution 3: Group Policy for Windows Logon Setting
The PGP WDE Single Sign-On feature can be affected by a Logon setting within a group policy for the computer. Check if enabling the Always wait for the network at computer startup and logon setting in the Logon folder of the Group Policy corrects any SSO issues.
Interactive logon: Do not require CTRL+ALT+DEL
Check if any security settings requiring the user to press CTRL+ALT+DEL before logging on to the system affect the Single Sign-On feature.
Solution 4: Intel PROSet/Wireless Software
In some cases, the Single Sign-On password may not synchronize properly due to an incompatibility with certain versions of the Intel PROSet/Wireless software. For Dell computers using version 11.5 of the Intel PROSet/Wireless software, this issue is solved by upgrading the software to version 12 or higher or by uninstalling the software.
Solution 5: USB disk or SD card
If a USB thumb drive or SD card is inserted, a conflict may occur if the USB or SD disk is detected as Disk 0 on the system. Confirm the Windows system disk is Disk 0 in Disk Management. If the USB or SD disk displays as Disk 0, remove the disk, reboot the computer, and then change the Windows password.
Solution 6: Troubleshooting Microsoft Accounts
For more information on troubleshooting Single Sign-On when Microsoft Accounts are in use, see article TECH216805.