Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 55

Solution:

The user must use a wired network connection when performing an intranet login from the BIOS.

•

Symptom:

Receive the incorrect user name or password speciﬁed message when the intranet user name

and/or password are correct and is greater than 63 characters in length.

Problem description:

BIOS allows a maximum 64 byte user name and password (including null

termination) to be entered when performing an intranet login (63 characters each for the user name and

password, for example). Thus, the client application must enforce the same restriction for consistency.

Solution:

Set the Active Directory policy to limit intranet user names and passwords to maximum

63 characters in length.

•

Symptom:

The Hardware Password Manager client application prompts you to enroll even though user

has already enrolled.


If a domain user is conﬁgured with a hard-coded DNS server address (not

automatically detected) and Hardware Password Manager policy is set for Windows and User Login to

be synchronized, the Hardware Password Manager client application may not recognize that the user is

already enrolled if their domain account password has been changed or reset by the Administrator.

Solution:

Deregister the system (either through BIOS setup or the Intranet login menu in the BIOS),

then re-register.

•

Symptom:

After restoring from a backup that was taken prior to installing the Hardware Password

Manager client application, the user is unable to re-register to the Hardware Password Manager server;

the user receives a message indicating internal error.


If the user has registered in Hardware Password Manager, then restores from a

backup where the Hardware Password Manager client application was not installed, the system is left in a

state where BIOS thinks the system is registered (the secure vault is allocated and hardware passwords

are set), but the client application is no longer installed.

Solution:

Deregister the system (either through BIOS setup or the Intranet login menu in the BIOS),

then re-register.

•

Symptom:

Hardware Password Manager login failure using a Novell server (LDAP) This can occur

anywhere that the intranet account authentication is requested, such as registration, renewal, or intranet

login at the BIOS prompt.


You cannot log in using special characters such as

=

(equal sign) and

.

(period).

This can occur in either of the following scenarios:

–

If LDAP options/connections/bind restrictions is set to

None

and the user name format is

user1.novell

–

If the LDAP options/connections/bind restrictions is set to

Disallow anonymous simple bind

and the

user name format is

cn=user1, o=novell

Solution:

- N/A

Appendix C. Hints and tips

47

Section	Page
Preface	7
Chapter 1. Overview	9
Chapter 2. Installing Hardware Password Manager on ThinkManagement Console	11
Prerequisites	11
Preparing the core server	12
ThinkManagement Console with HPM server setup	13
Migrating to a new LDAP server	14
Installing Hardware Password Manager on a Lenovo device	14
Chapter 3. Managing Hardware Password Manager devices with ThinkManagement Console	17
Viewing Hardware Password Manager devices and their properties	17
Managing enrolled users on Hardware Password Manager devices	18
Configuring an LDAP server connection	18
Viewing Hardware Password Manager users and their properties	19
Removing a user’s access to a Hardware Password Manager device	20
Managing Hardware Password Manager groups	20
Managing remote actions and policy settings for Hardware Password Manager devices	21
Updating client policies globally	22
Updating hardware passwords globally	23
Updating the emergency account	24
Changing server policy settings	25
Defining scopes and roles for console users	26
Chapter 4. Hardware Password Manager Client	29
Hardware Password Manager device setup	29
Registering a device with the Hardware Password Manager server and enrolling the first user	29
Enrolling additional users on a Hardware Password Manager device	30
Removing a user from a Hardware Password Manager device	31
Unregistering a device from the Hardware Password Manager server	31
Updating credentials on a Hardware Password Manager device	32
Chapter 5. Deployment	33
Fingerprint integration	33
Safe Guard Easy/Safe Guard Enterprise compatibility	34
One-touch registration	34
Pre-registration	35
User enrollment on a pre-registered system	35
Chapter 6. Scenarios	37
Service scenarios (configuration changes)	37
Scenario 1 - Hardware configuration changes	37
Scenario 2 - CMOS error	37
Scenario 3 - Replace the fingerprint device	38
Scenario 4 - Hardware passwords already set	38
Scenario 5 - Setup under the operating system (remote BIOS settings)	38
Scenario 6 - Replace the system board	39
Scenario 7 - Add a hard disk drive	39
Scenario 8 - Replace or move a hard disk drive	39
Scenario 9 - Change the hard disk location within a system	40
Scenario 10 - Remove a hard disk drive	40
Scenario 11 - Flashing the BIOS	40
Scenario 12 - Registered system can no longer access the Hardware Password Manager server	41
Scenario 13 - Enter the BIOS setup	41
Scenario 14 - Load default settings in the BIOS setup	41
Scenario 15 - Do not protect all hard drives	41
User Scenarios	42
Scenario 1 - Forgot Hardware Account credentials, network connected	42
Scenario 2 - Forgot Hardware Account credentials, NOT network connected	42
Scenario 3 - Forgot the corporate password	42
Scenario 4 - Manual login using different keyboard types	42
Scenario 5 - Handling enrollment from multiple boot partitions	43
Scenario 6 - BitLocker	43
Appendix A. Security and convenience	45
Appendix B. Disaster recovery	47
Appendix C. Hints and tips	51
Appendix D. Notices	57

Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 55

Solution, Symptom, Problem description, are set, but the client application is no longer installed.

Page 55 highlights