We are investigating the possibilities of Single Sign-On with EEPC (with password synchronisation).
Currently, we have two environments:
- EEM Managed EEPC version 184.108.40.206 for Windows XP clients (operational) - ePO Managed EEPC version 6.0.1 for Windows 7 client (we already had ePO and are testing roll-out to Windows 7)
For both environments 'SSO' and 'require EEPC (re-)logon' are enabled.
We done some tests using SSO and found some differences between both environments:
On Windows XP, the following applies: 1. The users forgets his password and does an EEPC recovery in the PBA. He resets his password. The user is now automatically logged on to Windows (using SSO) with the password he doesn't know. Password synchronisation will occur after his Windows password is reset (i.e. using the helpdesk and he is asked to restart the computer). When the user logs on the next time, the cached Windows password doesn't work anymore, so he's prompted to enter his new password. From that moment on the password is synchronised back to EEPC and the passwords are identical again. 2. The user want to logon to Windows with a different user account, so he logs out, clicks 'Cancel' in the EEPC login screen, unchecks 'Single Sign-On', logs on the EEPC and then to Windows as a different user.
On Windows 7, the following applies: 1. The user forgets his password and does an EEPC recovery in the PBA. He resets his password. Automatic logon to Windows doesn't work anymore. So the user should either call the helpdesk to have his password reset. He logs in using the reset Windonws password and that password is synchronised to EEPC. 2. The user wants to logon to Windows with a different user account. That's not possible now.
The difference between 220.127.116.11 on Windows XP and 6.0.1 on Windows 7 are: 1. After a reset of the password in the EEPC PBA in Windows XP the user is automatically logged on using the Windows password he doesn't know anymore. In Windows 7, the logon prompt appears: the user doesn't remember his password, so he's locked out. 2. In Windows XP the user can uncheck 'Single Sign-On' and can logon to Windows as a different user name (with 'require EEPC (re-)logon' checked). In Windows 7 this isn't possible anymore.
Further: 1. We use Anixis software for password reset. A button is placed on the logon screen of Windows, which allows connection to the password reset page, before logging on to Windows. When enabling SSO, in Windows 7 that button is not shown, because the logonscreen has been replaced. In Windows XP the logon screen is replaced too, but you're still able to disable 'Single Sign-On' and have the default Windows logon prompt shown. Will this ever be made possible in Windows 7? Is there a workaround? 2. If a user changes his Windows password on a non-EEPC computer and then logs on to EEPC on his computer with EEPC, he has to logon to EEPC using his old password. a. When he's online (has a domain connection), the cached Windows password will not work and he's prompted to enter his new Windows password. That password is synchronised to EEPC and the passwords are in sync again. b. When he's offline however, he's logged on to Windows with his cached credentials. If the user then sets up a VPN connection and tries to connect to a domain resource, he's prompted to lock his computer and logon again, using his new password. This doesn't work, because the (re-)logon screen is replaced by the logon screen of EEPC and the user only has to authenticate to EEPC. This means the password synchronisation to EEPC will only occur when the user is connected to the domain at logon time (so situation A applies).
Can someone confirm these differences between Windows XP and Windows 7? And is this by design?
And a more generic question: who uses SSO and how is your experience with SSO? What's your workaround for these issues?
Message was edited by: mreco on 11/9/10 1:32:35 PM GMT+01:00