I need a way to clear the Windows SSO credentials associated with a EE sign-on so that EE will prompt the user for the Windows credentials again after a reboot so we can reassociate a different Windows account with the same EE sign-on.
I understand there's an option in the console to do this for a specific machine, but we need a way to do it on the client itself. I saw there's some commands in SBAdmCl to set or change the Windows credentials, but I didn't see anything to just clear the currently associated Windows credentials.
Thanks for the suggestion. I just tried it and it doesn't work. It doesn't like not having an actual entry for the parameters. I tried:
sbadmcl -command:setwindowscredlocal -winuser: -winpwd:
and it errors.
I supposed I could set it to dummy credentials that would be guaranteed to fail, but I know when the password changes on the Windows account (not using the option to keep EE pw the same as Win) it causes an actual Windows login failed error to appear before prompting for the new credentials and I'd like to avoid that if possible.
Nope. Different issue.
First, it requires a connection to the EE server and errors out without one. I need this to work on a client PC even when it can't sync with the EE server. I thought that's what the "local" version setwindowscredlocal (vs. just setwindowscred) would do, but apparently not.
Second, I went ahead and connected it so that it could sync with the EE server. In this case, it did not set the blank credentials (or "clear" them as I'm trying to do), I pulled down from the EE server the Windows cached creds I had been using on a different PC under the same EE account.
In the documentation I read somewhere that EE saves the cached credentials in an encrypted part of the registry. Could you point me to where that is? I don't care about "decrypting" the info, maybe I can just totally delete it?
Had to look again to find it, but EEPC version 5.2.4 Administration guide, the "Windows Sign-on and SSO" chapter, bottom of page 63 onto page 64 under the "First Boot" section, copy & pasted word for word:
Normally they would next presented with a Windows logon – if the Endpoint
Encryption Windows Logon architecture is fully activated, Endpoint Encryption will
automatically present the user’s stored SSO id and password to windows. If these
details are accepted, Endpoint Encryption stores a record of these credentials in a
special encrypted area of the user’s profile. If Windows fails the SSO credentials, for
example, if they have not been set, Windows displays the standard login box and the
user is forced to enter their Windows id and passwword.
Actually I just reread that I see it doesn't say "registry", it says "profile". Okay then, is file I can just delete somewhere.
Separate side note, it's stated in the above text and again a few other times in the same document that if the SSO fails, "Windows displays the standard login box." Which "standard" login box. I read that as the standard WINDOWS login, but that's NOT what I see. I see an ugly grayish old-style login box with a McAfee title bar on it that looks more like the old XP and prior GINA login prompts.