If we have EndPoint SSO users logged onto more than one machine at any one time, what is the best way to deal with a password change.?
So for example we have user1 logged on with a domain account for which SSO is enabled on two machines at the same time. User1 changes their domain password on machine1 via ctrl-alt-del. What is happening behind the scenes with EndPoint?
I understand that the Windows Password change event will automatically update the PBA password on Machine 1, but does the password change event automatically trigger a sync of machine 1 with the server? If so do we need to manually trigger a sync from Machine 2 to set the Machine2 PBA password to the new password and to update the cached SSO password on machine2?
I guess what I am trying to understand is exactly what is happening behind the scenes when the password is changed and what is the best way to get the updated password onto other machines without the user having to key in his/her old domain password on other machines.
In my experience with SSO, which admittedly was a few versions ago, there was not an automatic synch on machine1. So what you would end up with is an updated EEPC password on machine1, which would synch to the database at the next synch interval. Assuming that machine2 is online, then the next time machine2 synchs it would pull down the updated password. If machine2 is off-line, the user would have to use the old password, to get logged in to the machine, which could then synch the password. Same with additional machines.
Don't quote me on this part, but I think you might want to check the "Do not lock workstation if no user is authenticated" option as well. If you don't, if the user is authenticated with the old password, and a new password is pulled down, I believe that the machine will lock, and the user will be forced to re-authenticate with the new password. Not a huge deal, but if your users are like my users, it's the end of the world.
Where it gets fun is when the user changes the password on machine1, but machine2 is offline. The next time they try to authenticate to machine2, they don't think to use the old password, so they call the helpdesk. The helpdesk, being ever so helpful, performs a user recovery and the user resets their password on machine2. Now the password on machine1 is wrong again. Wash, rinse, repeat...
Thanks for the post. This was my suspicion would like to get one of the mods to confirm this.
I guess to reduce impact this may be a reason to consider increasing sync intervals. SSO can be so good but boy its tough to get your head round and then implement and maintain.
We found that SSO actually caused more confusion in our environment when we first looked at it back in version 5.1.1. Because we had so many users using multiple machines, it was jsut not manageable. We eventually started telling our users something like this, "Your SafeBoot password and Windows password don't know anything about one another. You can set your SafeBoot password to be the same thing as your Windows password if you like, but know that when you change your Windows password, your SafeBoot password will not change automatically." We also disabled the "password expires after XX days" option in SafeBoot/EEPC.
That puts the choice into the users hands, which the users seem to like. Some choose a compeletly seperate SafeBoot/EEPC password, some set it to match their Windows account.