m currently implementing Endpoint Encryption solution (ver 6.1.2) on ePO 4.6.2..
m facing issue in SSO... whenever I change password in Windows &run Wake-up Agant and reboot the system... preboot authentication
still accept the old McAfee password and I have to enter the Windows password again.... I have setup the LDAP-EPO sync setting after every 1 Hr..
even checked after 1 hour still issue persists...
secondly, for one of the username while trying for Self-Recovery password option, m getting follwing error "Self-Recovery enrollment is required. Please
logon and enroll."
I request, if I get help on this... thnx...
Some more info that might be helpful: How is the user changing the password? Are you using just AD passwords here, or are there tokens involved? Is this happening to all users on all machines?
From a policy standpoint, make sure the product policy applied to the encrypted systems has "
I'm not sure if this applies to V6, but in V5 if the password complexity rules were stronger for EEPC than they were for AD, EEPC would reject a password that wasn't strong enough, even if AD allowed it.
thnx for reply... well, to answe your query, I change the password in Windows (in Actie Dir).. I am using just AD password (no tokens involved)... I tried it on couple of XP systems and couple of Win 7 OS (including physical system and VM).... m facing same issue...
from a Policy standpoint, I do not see the option which you have mentioned in V6... as I have mentioned, I have configured sync after every 1 hr between AD and EEPC... but the actual changes takes place after 3 hrs... meaning, after 3hrs of changing the password if I reboot the system and try loggin with new credentials, it works.. but as far as I understand, it shud work after pushing policy updates or max after 1 hour.. rite??
secondly, can u pls focus on 'Self-Recovery Enrollment' issue that I am facing..
Check this thread to see if it helps with your self-recovery question:
Regarding the password sync, you don't need to check-in with ePO in order for the passwords to sync - I believe it should happen automatically on the current system. You only care about the agent-to-server communication when you are trying to get that same password to work on another computer (which will require that both systems sync with ePO).
Out of the box, EEPC does *not* sync passwords between AD & EEPC - you need to enable the setting. The policy can be found in the EE 1.1.2 Product Policy (see your policy catalog in ePO). I've pasted the checkbox that needs to be enabled below:
Once this is enabled, you'll need to sync your client (maybe reboot?) and then perform a password change.
EDIT: The picture wont paste in the thread for some reason, see the following:Message was edited by: Christopher-Boston on 11/28/11 10:55:48 AM EST
I do agree with you...as u rightly said, pass sync shud happen automatically on current system. When I change the password for UserA in AD and do click on 'Collect and Send Props' option, I can see that the communication successfully happened bet agent and server... 'Sync EndPoint Encryption PW with Windows' option is Enabled...
when i reboot the system and try to login with new credentials in pre-boot authentication (EPE login screen), it does not accept new password (Single Sign On checkbox is checked in this step).. it still accept the old password and I have to enter the new password for Windows login which nullify the SSO requirement...
hope m clear with the issue...
to asnwer to your first query, Yes, m using exact username in both EEPC preboot ad Win logon...
to answer to your next query, I tried changing p/w on user's system (alt+cntrl+del and 'Change Password') and even on actual AD server (selecting user in AD, right click and in 'Properties' section)....
well, it usually works - so I guess there must be something unique about your environment? custom credential providers maybe, locked down OS? something like HIPS preventing installation of the DLL's perhaps?
As for changing the pwd in AD - that's not supported. AD won't send changes to other apps, you have to capture changes on the client itself through the ctrl-alt-del method.
I would bring it up with your McAfee Implementation team when you have them onsite again. They should be able to help you sort it out.
I would indeed grateful to you in that case... coz the local vendor from whom we have purcahsed the licenses is unable to resolve the query
and have informed me that he is waiting the reply from McAfee Assistance Center....
Just to give u some more background... I tried this on Windows XP and Windows 7, AD is Win 2003 Adv Server, Endpoint Encryption Agent for Windows ver 1.1.2, Endpoint Encryption for PC ver 6.1.2, ePO ver 4.6.
As I said above, I would highly appreciate if you help me to troubleshoot this issue bcoz the local vendor is not in position to resolve this issue
and haven't turned up since I reported this issue...
thnx.Message was edited by: jprashant on 11/29/11 9:02:20 AM CST