cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
markgarza
Level 10
Report Inappropriate Content
Message 1 of 2
‎07-17-2020 06:20 AM

User tokens not reset after migration to new server

Hi, we recently began migrating our DE clients to FIPS compliance by standing up a new FIPS EPO server and re-installing the DE software in FIPS mode. The process is like this:

Decrypt the machine

Uninstall DE software 7.2.9.14

Transfer system to new server

Re-install DE software in FIPS mode

Previously we were getting users assigned to machines via AD, and using AD password syncing/SSO. Now, however, we've discovered we need to turn both of those off in order for our newly implemented DUO MFA to work correctly (needs DE credential provider disabled.) 

Since we've been doing this migration, we've had the PBA bypassed on all machines since coronvavirus started, so we haven't had any users have to log in with their DE accounts into a machine in a long time, and I assumed that when they got transferred to the new server, since the new server has no token data, it would reset all the users so that when we re-activate PBA, it would just act like they're setting up the user for the first time and prompt for a password. We turned on PBA for one machine yesterday with SSO and password syncing disabled, and some basic UBP policy enforced, and this seems to not be happening. it still asked for a password but no passwords the user gave it work, returning a failed to authenticate error.

The only way to solve this was to do an encryption user recovery that resets the token. I tried to just reset the token in the EPO server but it wouldn't let me because "there is no token data for this user." If that's the case, shouldn't the client be asking for the user to set the password instead of trying to authenticate to.... a token that doesn't exist? 

I don't see anything in the MfeEpe.log that indicates any users tokens got reset after transferring to the new server. But I also can't force them to reset from the new server. So it seems like it is in some weird limbo state where it thinks there is token data on the machine and is trying to use that but it won't ever work.

Would really appreciate some guidance here, as it seems whenever we turn PBA back on for everyone we'll run into this.

0 Kudos
Reply
1 Reply
SB1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎07-31-2020 03:30 AM

Re: User tokens not reset after migration to new server

Hi markgarza,
From the information provided, I advise you to raise a Support ticket with us to investigate this issue further. 
Thank you.
Was my reply helpful?If you find this post useful, Please give it a Kudos!

Please don't forget to select "Accept as a solution" in my reply and together we can help other members?

Kind Regards,
Sheila Bloise
Technical Support Engineer
Customer Success Group
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC