We use an Active Directory connector which syncs twice daily to keep user's EEPC passwords the same as their domain passwords but have encountered an issue where it seems like a host with an old password will sync with EEM and overwrite the user's proper, current password. In detail:
When logging into a random laptop that we pulled out of the file room, which has not been sync'd with the console/Active Directory since a users last password change, the user tries to type their current password in, and the authentication fails with a 'invalid token authentication' or similar error. So the user can't login (unless you know your old password). If you don't remember your old password, you just move on to use another host which is currently sync'd up to the console/domain.
After a few hours, you lock your current host and try to log back in, and are presented with the same 'invalid token authentication' error, even though you are using your currently active domain credentials. You try on another currently sync'd host, and the same error pops up. Once you remember what your old password was, you can log into any host with encryption, using that old password. You can still access any domain resource, which indicates that the host is passing your current password, but McAfee would only accept your old password. To resync the McAfee encryption token with your current password, you must lock the machine, type in your username and old password, and click on the 'change password' checkbox, and enter in your current domain password. After that is done, McAfee's token matches AD.
The problem appears to be that logging into a host that hasn't be sync'd up in a while, McAfee somehow overrides your current token with the old password that was contained on the host you attempted to log into. Or it just erases your current token, and has the contents from your old token. We are not sure what it is doing, but it essentially resets your McAfee token back to your old password (in my case, it was a 2 week old password). This seems to be a bug that has security risks for several reasons we dont need to go into.
Thank you for any advice here.
Solved! Go to Solution.
Don't use EEPC SSO feature. Different sync and caching strategies in Windows and EEPC are going to affect you sooner or later.
We seen this already.. Any recomendation?
Actualy EEM password not updated by AD sync.
at first i though password changes when EEM sync with AD but the fact it's not.
EEM password ONLY changed by MEE client..So when user change his/her AD password, this MEE client will check for new update and update EEM database.Message was edited by: obelicks on 8/26/10 11:16:20 AM MYT
Thanks for linking that thread; it explains things perfectly and while I completely disagree with the logic Simon presents, it looks like we just have to accept it for now.