Atakama stores the local machine's private key in the local machine's keyring, which is linked to the user's username and password, and protected by the Data Protection API (DPAPI).
Non-Active Directory Users:
When users changes their own password, DPAPI will track that change and Atakama will function properly.
When an administrator changes a user's local machine password, DPAPI will not be able to track that change.
When a user loses their credentials, it is equivalent to losing their local machine.
- When the original password is known, the user or administrator can attempt change the password back to the original password.
- The user can attempt to recover Atakama on their workstation by using a backup device or their words-based spare key.
For Active Directory users when Roaming User Profiles are enabled:
DPAPI can be configured to follow the user when they log in on different machines.
The following are possible solution when a user logs in on a new machine and receives an error message that Atakama cannot access the user's private key credentials:
- Enable credentials roaming and disable filters.
- The user may need to sign out of a prior machine before logging in to the new machine.
- A recent group policy change has not yet migrated to the user. The change can take up to 90 minutes. Running gpupdate from the command line can speed up the policy change.
For more information: review Microsoft's documentation on DPAPI.