How to troubleshoot Drive Encryption errors: 0xEE050002 (Unknown User) and 0xEE0F0001 (Token authentication parameters are incorrect)
Technical Articles ID:
KB85053
Last Modified: 2023-03-16 10:27:49 Etc/GMT
Problem
Under different situations, one of the two following errors might appear while logging on at Preboot Authentication (PBA), which prevents users from logging on.
0xEE050002 (Unknown User)
0xEE0F0001 (Token authentication parameters are incorrect)
Although these errors seem similar because they don't let you pass the PBA screen, they're different issues that need to be verified in the troubleshooting process.
Cause
0xEE050002 (Unknown User)
- This error is displayed when the user types the username in the Username field at the PBA screen and clicks the login option to proceed to Windows.
- This error occurs when the PBA details for the username aren't present in the Preboot File System (PBFS).
0xEE0F0001 (Token authentication parameters are incorrect)
- This error is displayed when the user types the password in the Password field at PBA and clicks the login option to proceed to Windows.
- This error occurs when the password token entered differs from what's actually stored in PBFS.
Solution
1
Resolving the 0xEE050002 (Unknown User) error
To resolve this user issue, make sure that the username being entered into the username field is added to PBFS. This requires a two-part check process: a server-side and a client-side action.
ePO Configuration Checks:
- Log on to the ePO console.
- Check if the default LDAP attributes are being used under the server settings. By default, the LDAP attributes are set to samaccountname, but can be changed if environments use different attributes.
- Click Menu, Server Settings, Drive Encryption, LDAP Attributes.
- Click Manage LDAP Attributes.
Identify where the LDAP attributes can be managed.
- Confirm in ePO if users are being added manually:
- Click Menu, Encryption Users, Systems.
- Find the client system in question and select it, and then go to Actions, View Users.
- Determine if users are being added as a Group:
- Click Menu, Encryption User, Group Users.
- Identify if the user is listed in the Group Users section, and then verify that the user is part of a Group or Organization Unit.
- If not listed in a group, then verify in the DE Product setting policy, under the Log On tab, that you have one of the two following options selected:
- Add all previous and current local domain users of the system.
- Only add currently logged-on local domain user(s); activation is dependent on a successful user assignment.
Client Verification checks
On the client side, there are two ways to verify that a user has been added to PBFS to make sure that the user will be available.
Method 1
- Log on to the ePO Console.
- Access the DE product settings policy on the General tab.
- Select Allow users to create endpoint info file. This allows users on the client to see a new option (Save Machine Info) on the Show Drive Encryption Status page.
- At the client, right-click on the McAfee Agent icon, Quick Settings, Show Drive Encryption Status.
- Click Save Machine Info and save the text file to the local hard-disk. The file contains all the PBFS details.
The username will be listed in the Machine Info file section under Assigned Users.
Example:
Assigned Users
|
|
UUID
|
4AB60C18B3B3B24DB79C5CB4E038E6AE
|
Name
|
Administrator
|
UserNameTime
|
1411915419030
|
Certificate Timestamp
|
0
|
Token UUID
|
99ee83a5-fe08-4b99-a627-99db1eb7081e
|
Token Timestamp |
13056578728000 |
Logon Data Timestamp |
13073160502000 |
Self-Recovery State |
Uninitialized |
Self-Recovery Timestamp |
13056477572999 |
SSO Timestamp |
13057188080597 |
Method 2
- Browse and view the MfeEpe.log to verify if the user is successfully added in the following path:
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log
- Open MfeEpe.log using a text editor and search for the username that's logging into PBFS.
Example:
INFO |
|
userLib: user Administrator (4AB60C18B3B3B24DB79C5CB4E038E6AE) successfully added
0xEE0F0001 (Token authentication parameters are incorrect) |
Solution
2
Resolving the 0xEE0F0001 (Token authentication parameters are incorrect) error
To complete this, you'll need to verify what Token type is assigned to the user. You can find the token information by following the steps to export the DE information file.
- Log on to the ePO Console.
- Access the DE product settings policy on the General tab.
- Select Allow users to create endpoint info file. This allows users on the client to see a new option (Save Machine Info) on the Show Drive Encryption Status page.
- At the client, right-click on the McAfee Agent icon, Quick Settings, Show Drive Encryption Status.
- Click Save Machine Info and save the text file to the local hard disk. The file contains all the PBFS details.
The username is listed in the Machine Info file section under Assigned Users.
Example:
Assigned Users
|
|
UUID
|
4AB60C18B3B3B24DB79C5CB4E038E6AE
|
Name
|
Administrator
|
UserNameTime
|
1411915419030
|
Certificate Timestamp
|
0
|
Token UUID
|
99ee83a5-fe08-4b99-a627-99db1eb7081e
|
Token Timestamp |
13056578728000 |
Logon Data Timestamp |
13073160502000 |
Self-Recovery State |
Uninitialized |
Self-Recovery Timestamp |
13056477572999 |
SSO Timestamp |
13057188080597 |
- In the section Assigned Users, locate the user.
NOTE: Multiple user details will exist in this file when multiple users are assigned to the client.
- Locate Token UUID. Under Token UUID, you'll find one of two Tokens assigned to the user.
NOTE: When using a hardware token, a different value is displayed. The default password token is assigned to all unutilized users.
- 10446506-d610-426e-868b-798053e2c954 - Default password
NOTE: The default password is either 12345 or the default password that's assigned in the Drive Encryption User Based policies under the Password Tab.
- 99ee83a5-fe08-4b99-a627-99db1eb7081e - Password Only
NOTE: Password Only is the password created after the user is prompted for the default password. If the customer uses SSO, 99ee83a5-fe08-4b99-a627-99db1eb7081e may be their current network credentials. If SSO hasn't been updated in PBFS, the user may want to try a previous network password.
IMPORTANT: When using token types other than password, the UUID will not be similar to the above-mentioned UUID Codes. In this situation, contact Technical Support for further information.
|