cancel
Showing results for 
Search instead for 
Did you mean: 
mreco
Level 9
Report Inappropriate Content
Message 1 of 3

SSO Experiences in Windows XP and Windows 7

We are investigating the possibilities of Single Sign-On with EEPC (with password synchronisation).

Currently, we have two environments:

- EEM Managed EEPC version 5.1.8.0 for Windows XP clients (operational)
- ePO Managed EEPC version 6.0.1 for Windows 7 client (we already had ePO and are testing roll-out to Windows 7)

For both environments 'SSO' and 'require EEPC (re-)logon' are enabled.

We done some tests using SSO and found some differences between both environments:

On Windows XP, the following applies:
1. The users forgets his password and does an EEPC recovery in the PBA. He resets his password. The user is now automatically logged on to Windows (using SSO) with the password he doesn't know. Password synchronisation will occur after his Windows password is reset (i.e. using the helpdesk and he is asked to restart the computer). When the user logs on the next time, the cached Windows password doesn't work anymore, so he's prompted to enter his new password. From that moment on the password is synchronised back to EEPC and the passwords are identical again.
2. The user want to logon to Windows with a different user account, so he logs out, clicks 'Cancel' in the EEPC login screen, unchecks 'Single Sign-On', logs on the EEPC and then to Windows as a different user.

On Windows 7, the following applies:
1. The user forgets his password and does an EEPC recovery in the PBA. He resets his password. Automatic logon to Windows doesn't work anymore. So the user should either call the helpdesk to have his password reset. He logs in using the reset Windonws password and that password is synchronised to EEPC.
2. The user wants to logon to Windows with a different user account. That's not possible now.

The difference between 5.1.8.0 on Windows XP and 6.0.1 on Windows 7 are:
1. After a reset of the password in the EEPC PBA in Windows XP the user is automatically logged on using the Windows password he doesn't know anymore. In Windows 7, the logon prompt appears: the user doesn't remember his password, so he's locked out.
2. In Windows XP the user can uncheck 'Single Sign-On' and can logon to Windows as a different user name (with 'require EEPC (re-)logon' checked). In Windows 7 this isn't possible anymore.


Further:
1. We use Anixis software for password reset. A button is placed on the logon screen of Windows, which allows connection to the password reset page, before logging on to Windows. When enabling SSO, in Windows 7 that button is not shown, because the logonscreen has been replaced. In Windows XP the logon screen is replaced too, but you're still able to disable 'Single Sign-On' and have the default Windows logon prompt shown. Will this ever be made possible in Windows 7? Is there a workaround?
2. If a user changes his Windows password on a non-EEPC computer and then logs on to EEPC on his computer with EEPC,  he has to logon to EEPC using his old password.
    a. When he's online (has a domain connection), the cached Windows password will not work and he's prompted to enter his new Windows password. That password is synchronised to EEPC and the passwords are in sync again.
    b. When he's offline however, he's logged on to Windows with his cached credentials. If the user then sets up a VPN connection and tries to connect to a domain resource, he's prompted to lock his computer and logon again, using his new password. This doesn't work, because the (re-)logon screen is replaced by the logon screen of EEPC and the user only has to authenticate to EEPC. This means the password synchronisation to EEPC will only occur when the user is connected to the domain at logon time (so situation A applies).

Can someone confirm these differences between Windows XP and Windows 7? And is this by design?

And a more generic question: who uses SSO and how is your experience with SSO? What's your workaround for these issues?

Thanks.

Message was edited by: mreco on 11/9/10 1:32:35 PM GMT+01:00
2 Replies
mreco
Level 9
Report Inappropriate Content
Message 2 of 3

Re: SSO Experiences in Windows XP and Windows 7

Excuse me, something went wrong when posting, please ignore this post.

Message was edited by: mreco on 11/9/10 1:34:35 PM GMT+01:00
mreco
Level 9
Report Inappropriate Content
Message 3 of 3

Re: SSO Experiences in Windows XP and Windows 7

Excuse me, something went wrong when posting, please ignore this post.

Message was edited by: mreco on 11/9/10 1:35:29 PM GMT+01:00
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community