I've a question in how to determine which kind of information is transferred in the stage of "LDAP" query.
Due to the password policy within our Active Directory Users have to change the Password reguarly and often can not authenticate on the following days against EEPC, nor does the old Password do the trick (if the password wasn't changed on their Notebook). So I would like to know how to check, or where to look at, what kind of Information is transferred to EEPC and if there is a possible solution to grant Users to authenticate at EEPC wether or not their Password is out of date. At least they should be able to authenticate once after the Passwordchange has taken place so that EEPC can synchronize the new Password at the stage of the authentification against the Active Directory via the changed Gina.dll.
I do apologize for my english so please be free to ask for further information if there are missing or misleading informations.
the password is not transfereed from AD to EEPC - it gets changed on the EEPC endpoint when the user sets their new AD password. It then gets sent to EPO, and propagated out to other machines that user is assigned to.
So, either the old password will work pre-boot, or the new one if that machine has recieved the update from EPO (and their password was changed on another node).
If they change their AD password on an EEPC machine, it will be reflected into the pre-boot then and there.
If this was EEPC5, I'd suggest you check your password content rules are appropriate (more lenient than AD), but in EEPC6 this should not matter - what version are you using?
at the moment we are in progress of Updating from EEPC 126.96.36.199/ 188.8.131.52 to 6.1.1. Nevertheless my question was pointing at the expiring date of passwords and wether or not this information is transferred to EEPC-Mechanism. It seems to me EEPC does actually know when the Password is expired and therefore won't allow any further authentification ("the old password don't do the trick") when the Notebook wasn't able to synchronize these informations between the Password change has taken place and an actual authentification trial.
I too have noticed that using SSO, if the user's password has expired, it won't allow logon. it comes up with the usual 'token auth params are incorrect'.
I noticed that windows can still log you on with cached credentials if expired, so that's probably why it doesn't let you logon at pre-boot.
Thing is, i cannot find any information on this, so would like to know if this is definately meant to be part of the design so i can inform my users.
And the main question is : how does it know that the account password has expired?
how does it know that the account password has expired?
That's a function of Windows - I believe it's a result of a response to a login attempt by the domain controller.
To login in this case, just cancel the SSO (or pick the Windows credential provider tile), and login using the Windows system using the new password, or by changing the password.
Thanks, but I don't understand- how does the PBA know that the password has expired?
We don't have 'allow cancel SSO' but when i enable it in my policy, the box appears in the box at PBA but when i uncheck it, it does nothing. Maybe I have conflicting options enabled in my policy.?
I've also noticed that the change password option doen't appear for a user that has an expired password.
Are you saying the windows password has expired, or the EEPC password (they are different things) - they will expire at the same time though, that's what the sync with your AD is achieving.
Sorry- yes domain password.
Right- so you are saying that when the sync occurs with AD, EEPC reads the password expiry info and will therfore expire at the same time if using SSO and will therfore not allow you to logon at PBA.
OK -That now make sense.
is there any workaround with which the User is able to perform the SSO, regardless wether or not the Password is expired? I do understand this is not within the architecture of EEPC due to the intended meaning of EEPC but are there ways to block the information between AD and EEPC-Sync regarding the expiring Information? We do not intend to allow bypassing SSO.
Exists a detailled technote for what exactly is happening between AD and EEPC-Sync? Just curious
Nachricht geändert durch Don_Martin on 21.11.11 06:46:01 CSTNachricht geändert durch Don_Martin on 21.11.11 06:48:06 CST