Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

Changing password - Single Sign-On user with multiple machines


If we have EndPoint SSO users logged onto more than one machine at any one time, what is the best way to deal with a password change.?

So for example we have user1 logged on with a domain account for which SSO is enabled on two machines at the same time. User1 changes their domain password on machine1 via ctrl-alt-del. What is happening behind the scenes with EndPoint?

I understand that the Windows Password change event will automatically update the PBA password on Machine 1, but does the password change event automatically trigger a sync of machine 1 with the server? If so do we need to manually trigger a sync from Machine 2 to set the Machine2 PBA password to the new password and to update the cached SSO password on machine2?

I guess what I am trying to understand is exactly what is happening behind the scenes when the password is changed and what is the best way to get the updated password onto other machines without the user having to key in his/her old domain password on other machines.

3 Replies

Re: Changing password - Single Sign-On user with multiple machines

In my experience with SSO, which admittedly was a few versions ago,  there was not an automatic synch on machine1.   So what you would end up with is an updated EEPC password on machine1, which would synch to the database at the next synch interval.  Assuming that machine2 is online, then the next time machine2 synchs it would pull down the updated password.  If machine2 is off-line, the user would have to use the old password, to get logged in to the machine, which could then synch the password.  Same with additional machines.

Don't quote me on this part,  but I think you might want to check the "Do not lock workstation if no user is authenticated" option as well.  If you don't, if the user is authenticated with the old password, and a new password is pulled down,  I believe that the machine will lock, and the user will be forced to re-authenticate with the new password.  Not a huge deal, but if your users are like my users, it's the end of the world.

Where it gets fun is when the user changes the password on machine1, but machine2 is offline.  The next time they try to authenticate to machine2, they don't think to use the old password, so they call the helpdesk.  The helpdesk, being ever so helpful, performs a user recovery and the user resets their password on machine2.  Now the password on machine1 is wrong again.  Wash, rinse, repeat...

Level 7
Report Inappropriate Content
Message 3 of 4

Re: Changing password - Single Sign-On user with multiple machines

Thanks for the post. This was my suspicion would like to get one of the mods to confirm this.

I guess to reduce impact this may be a reason to consider increasing sync intervals. SSO can be so good but boy its tough to get your head round and then implement and maintain.

Re: Changing password - Single Sign-On user with multiple machines

We found that SSO actually caused more confusion in our environment when we first looked at it back in version 5.1.1.  Because we had so many users using multiple machines,  it was jsut not manageable.  We eventually started telling our users something like this, "Your SafeBoot password and Windows password don't know anything about one another.  You can set your SafeBoot password to be the same thing as your Windows password if you like, but know that when you change your Windows password, your SafeBoot password will not change automatically."  We also disabled the "password expires after XX days" option in SafeBoot/EEPC.

That puts the choice into the users hands, which the users seem to like.  Some choose a compeletly seperate SafeBoot/EEPC password,  some set it to match their Windows account.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community