8 Replies Latest reply on Oct 30, 2008 3:52 PM by bpierfy

    XP SSO Problem

      In addition to my Vista problem that I posted in another thread...

      We want to be able to use SSO to it's fullest capacity. We want (and have for our tests) used all available SSO options in the configuration.

      On Vista machines, SSO works great (unless it's off network), but on XP the credentials are not being stored. If I put the credentials in manually via "Set SSO Details" in the administration tools, SSO will work as expected.

      I was told by McAfee that there may be something wrong with the AD Connector piece but like I said it works fine on Vista so that doesn't make sense. Either way, as with my Vista issue, McAfee has said that they are working on my tickets but I haven't heard from them despite 3 emails to the tech who worked on the issue. I even have my reseller trying to track down the status.

        • 1. SSO on XP.
          The only link between the AD connector and SSO is if you're not using the same user name between EEPC/Windows and you have "must match user name" ticked.

          if you're saying that EEPC is not storing SSO details for your users the most likely thing is that you DO have this option ticked (in Windows options) and that the user name pre-boot and in windows is not the same.

          If they are (or the option is not ticked) then the other common cause is you've ticked the windows login options at the group level, but the machine in the group does not have them ticked, so check that you indeed have set that policy for the machine itself.

          It's quite common for people to get their group config right, but forget this doesnt apply to all the machines already in the group unless it's a controlled group.

          • 2. SSO on XP part 2.

            I should add that depending on how you logged the tickets you may have a long response - tickets logged via the portal have a 24hour response. Tickets logged via phone have a much shorter SLA.

            So, you may want to call in and discuss, but they will ask you to check your policy first as of course, SSO works for everyone else ;-)

            Did you check which GINA you're using? It should be sbgina.dll?

            • 3. RE: SSO on XP.

              Thanks for the reply.

              We do use that option and we also use UPN for login. I know this caused issues in the past, but it was supposedly fixed in one of the recent releases. I did double check the individual machine config and all options are checked under Windows Logon.
              • 4. UPN and B5300
                Ah. That may be the issue - I seem to remember that Windows strips off the domain before passing it to GINA providers, so even though you entered me@somewhere.com as the user name, EEPC will get "me" as a user name, and "somewhere.com" as a domain. Obviously the user name "me" and the pre-boot name "me@somewhere.com" don't match so it won't store the SSO Creds.

                I seem to remember a patch being issued for this in B5400 - sorry, I don't have the release notes here but you can of course get them from your EEPC implementation people (or support). Certainly it's not going to work in B5300 unless you turn off the "must match user name" option.

                Then of course you have the potential problem with mis-matched SSO details being stored, but at least you'll be able to see SSO working on XP.

                I think you said you were using B5300 in another post?

                • 5. RE: UPN and B5300

                  Yes we are using 5300 although I've already downloaded 5400 (which wasn't out when I submitted those tickets btw) and I don't see anything specifically about that but it's easy to lose things in release notes...
                  • 6. UPN
                    It may not even be documented (though that would surprise me). As I say, I've not read them recently either. It will be under UPN if anything in the device encryption release notes if anything I expect though.

                    • 7. RE: UPN
                      Ok, I installed 5400 and it still didn't work. Just for kicks I checked the sbgina.ini file and saw that the detect UPN option was commented out. Now I know I've enabled that in past tests but I'm guessing it was still not working correctly in whatever version I was using in the past.

                      But I've now tested it on two VMs and it appears to be working. 5400 + uncommenting the detect UPN parameter in sbgina.ini...

                      I'm going to do some tests on laptops now and see if they work although I'm pretty confident they will now!
                      • 8. RE: UPN
                        I'm fairly confident that it is working on XP now... I've tested on multiple systems and it has worked each time!

                        Thanks for the help...

                        Now if I could only get it to work on vista happy