Table B.3 lists the error messages that may occur when you are trying to log on to the Client console. All Incorrect PIN. The PIN you entered is not
correct. Type your PIN again then click OK.
Click OK to dismiss the message.
If you think that you know your correct PIN, re-type your PIN then click OK. Note that your administrator may have defined the number of times that you can re-enter your PIN before SEE Full Disk locks you out. If you get locked out, you will need a Client Administrator to log you on in pre-Windows.
If you do not remember your PIN, click Logon Assistance and follow the instructions under “Forgotten PIN” on page 31 in Chapter 4 “Logon Assistance”.
Table B.3—Client Console Logon Messages Token
Type Severity Message Meaning Action
CAC A token error has occurred.
This message is displayed for any of the following conditions: incorrect PIN, blocked PIN, or expired certificate.
Click OK to dismiss the message, then click to close the Client console. Contact the appropriate administrator to determine the exact issue with your token. Table B.2—Pre-Windows Logon Messages (Continued)
Token
RSA A token error has occurred.
It is possible that your certificate cannot be found or is not being recognized.
Click OK to dismiss the message, then click to close the Client console. Log off Windows and restart your computer. Insert your token and log on. Make sure you wait for the token or reader light to stop blinking before proceeding. Do not remove your token. Launch the Client console. Enter your PIN at the Logon panel and wait for the token or reader light to stop blinking before clicking Log On. If you are using an RSA token, the RSA icon in your system tray should include a plus sign . If you are using an Axalto smart card, wait for the icon’s gold token to stop blinking and for the icon’s computer screen to return from blue to black . If you receive the same error message again, contact the appropriate administrator. All The program could not
log you on. The token was removed.
There is no token in your reader. Click OK to dismiss the message. Insert your token. In the Logon panel, type your PIN, then click Log On. All Incorrect PIN. You did not enter the correct PIN. Click OK to dismiss the
message. In the Logon panel, type the correct PIN, then click Log On.
All The PIN is blocked for this token. The current token needs to be replaced or modified by an administrator.
Your token’s certificate contains a blocked PIN.
Call the appropriate
administrator. You cannot use this token and certificate for SEE Full Disk until this issue is resolved.
Table B.3—Client Console Logon Messages (Continued) Token
All The program could not log you on. Your credentials could not be verified.
The inserted token may not be for the user who is logged in to Windows.
It is also possible that your token does not contain any certificates or that it contains certificates that were not registered to you.
Make sure that you are the user who is logged on to the Windows session. If you are not, log on to Windows now. Make sure that the inserted token is the one that you registered for your SEE account. If it is not, remove the invalid token and insert the registered token. Try to log on again. If the console still cannot verify your credentials, call the appropriate administrator. You cannot use this token for SEE Full Disk until the issue is resolved.
Table B.3—Client Console Logon Messages (Continued) Token
Glossary
Authenti-Check Authenti-Check is a self-help password recovery method for registered users. Policy Administrators can choose whether to enable or disable this feature. The Authenti- Check method involves up to three question-answer pairs, established during SEE registration. If a user forgets his or her password in pre-Windows, the questions are displayed and the user is prompted to enter the answers. Correct answers authenticate the user. If Single Sign-On is enabled, the user is then prompted by Windows to change his or her Windows password; if Single Sign-On is not enabled, the user is then prompted to change his or her SEE password. Authenti-Check is not available to Client Administrators or to token users.
Client Administrator Client Administrators provide support on one or more Client Computers to SEE registered users. The main functions include unregistering users, extending a
computer’s check-in due date with the SEE Server, unlocking a locked computer, and running the One-Time Password program. They also can run hard disk recovery procedures, to attempt data recovery on a Client Computer.
Common Access Card (CAC)
The CAC is a type of smart card issued as standard identification for active duty U.S. military personnel, selected reserve personnel, civilian employees, and eligible contractor personnel.
The CAC is used not only as a general identification card but also for authentication to enable access to Department of Defense (DoD) computers, networks, and certain DoD facilities. It also serves as an identification card under the Geneva Conventions. The CAC enables encrypting and cryptographically signing email and establishes an authoritative process for the use of identity credentials.
Federal Information Processing Standards (FIPS)
Federal Information Processing Standards (FIPS) are issued by the National Bureau of Standards. Several standards (140-1, 140-2, 140-3) provide guidelines for
implementing cryptographic software. The validation process is administered by National Institute of Standards and Technology’s (NIST) Cryptographic Module Validation (CMV) Program.
Grace Restarts Grace restarts are the number of times a user can reboot without having to register for an SEE account.
One-Time Password (OTP)
The One-Time Password (OTP) Program allows a user to recover from a forgotten password, PIN, or token with help desk assistance. This assistance provides the user with a one-time password—known as a response key or secret recovery key—which allows the user to temporarily authenticate. A password-based user is then prompted to enter a new password.
Partition A partition is a logical division on a hard disk that allows the application of operating system-specific logical formatting to that division only and not to the entire hard disk.
Password Management Password management is the ability of a Policy Administrator to define attributes to which a registered user’s password must adhere, such as age, reusability, and complexity, if Single Sign-On (SSO) is not enabled. Password management applies during the registration process when a user defines a password, during password- recovery methods when a user is prompted to change their password, and in the Client console Password panel, where registered users without SSO may change their SEE passwords.
Policy Administrator Policy Administrators are an organization’s centralized point of control for Symantec Endpoint Encryption. A Policy Administrator defines installation settings and policies that are pushed out to Client Computers through Active Directory. User accounts and computers are thereby configured to conform to these policies. Policies may differ from computer to computer, and from user to user. The policy requirements defined for user accounts display on user interface screens.
Pre-Windows Environment
The pre-Windows environment is the SEE Full Disk environment that loads upon reboot, before the Windows operating system loads. This environment helps protect the Client Computer’s primary hard disk by requiring authentication before a user gains access to Windows.
Registered User A registered user is the user of a Client Computer who has registered for an SEE account, with either a token or a password. A registered user has the right to change their SEE password, use the password recovery methods set by policy, use Single Sign-On (if set by policy), and encrypt disk partitions. A registered user can also decrypt disk partitions, if allowed by policy.
Registration When users register to SEE, they set a PIN, or a password possibly along with important information that allows them to recover their password, should they forget it. Once the first user has registered, the Client Computer is in a much more secure state. For this reason, users are forced to register after an optional, configurable number of grace restarts expires.
The Symantec registration wizard that walks users through a series of screens to define and activate their SEE account. A user may register on more than one computer.
SEE Symantec Endpoint Encryption.
Single Sign-On (SSO) Single Sign-On is a feature that allows SEE registered users to use their Windows password as their SEE password. If SSO is enabled, a user logs on once in pre- Windows and is automatically authenticated to Windows and to the Client console. If SSO is not enabled, a user logs on in pre-Windows using their SEE password, logs on to Windows using their Windows password, and logs on a third time to the Client console, if they need to, using their SEE password.
If SSO is enabled, password criteria are the Windows password criteria, and the user uses the Windows change password screen to change their SEE password.
Symantec Endpoint Encryption Framework
SEE Framework provides the extensible functionality that can be used across SEE.
Token A token is a physical device that a registered user or Client Administrator may use to authenticate to SEE.
Index
A
Account Settings
Authenti-Check change 39 password change 37 user account viewing 42
Active Directory, pushing out policies 2 Authenti-Check changing 39 guidelines 9 setting up 8 using 25 B
build number, purpose of and viewing 45
C
character sets, supported 46, 48 check-in
lockout 41
Client Administrator, role 2
F Full Disk Check-In 40 Decryption 43 Encryption 42 overview 45 G
grace restarts, definition 4
L
lockout
Check-In panel settings 41 Client Administrator help 41, 42 definition 40
preventing 41 logging on
Client console 33
delay for too many attempts 19, 34 pre-Windows 18 logon assistance Authenti-Check 25 invoking 23 One-Time Password 28 overview 23 P
password recovery methods Authenti-Check 25 invoking 23 One-Time Password 28 overview logon assistance 31 token registration 12 Policy Administrator, role 2 pre-Windows logon
logon assistance 23 password 18 token 20
Q
Quick Help, use of 37
R registered user overview of functions 1 viewing accounts 42 registration Authenti-Check setup 8 mandate 4 multiple certificates 14, 35, 36 notification, grace restarts available 4 password 6 registration password 5 token 11 re-registration basics 16 mandate 16 notification 16 S SEE password
Authenti-Check change prompt 26 Client console change panel 37 creating 7
guidelines 8
logging on to Client console 33 logging on to pre-Windows 18 OTP change prompt 30 Single Sign-On
Client console 33
password change from Authenti-Check 25 password change from OTP 29
password registration 6 pre-Windows 18 token registration 11
T
token
Client console logon 34 logon assistance 23 multiple certificates 35 preparation for using 20, 34 pre-Windows logon 20 registration 11
token error messages Client console logon 53
U