This content has been marked as final. Show 8 replies
The only link between the AD connector and SSO is if you're not using the same user name between EEPC/Windows and you have "must match user name" ticked.
if you're saying that EEPC is not storing SSO details for your users the most likely thing is that you DO have this option ticked (in Windows options) and that the user name pre-boot and in windows is not the same.
If they are (or the option is not ticked) then the other common cause is you've ticked the windows login options at the group level, but the machine in the group does not have them ticked, so check that you indeed have set that policy for the machine itself.
It's quite common for people to get their group config right, but forget this doesnt apply to all the machines already in the group unless it's a controlled group.
I should add that depending on how you logged the tickets you may have a long response - tickets logged via the portal have a 24hour response. Tickets logged via phone have a much shorter SLA.
So, you may want to call in and discuss, but they will ask you to check your policy first as of course, SSO works for everyone else ;-)
Did you check which GINA you're using? It should be sbgina.dll?
Thanks for the reply.
We do use that option and we also use UPN for login. I know this caused issues in the past, but it was supposedly fixed in one of the recent releases. I did double check the individual machine config and all options are checked under Windows Logon.
Ah. That may be the issue - I seem to remember that Windows strips off the domain before passing it to GINA providers, so even though you entered email@example.com as the user name, EEPC will get "me" as a user name, and "somewhere.com" as a domain. Obviously the user name "me" and the pre-boot name "firstname.lastname@example.org" don't match so it won't store the SSO Creds.
I seem to remember a patch being issued for this in B5400 - sorry, I don't have the release notes here but you can of course get them from your EEPC implementation people (or support). Certainly it's not going to work in B5300 unless you turn off the "must match user name" option.
Then of course you have the potential problem with mis-matched SSO details being stored, but at least you'll be able to see SSO working on XP.
I think you said you were using B5300 in another post?
Yes we are using 5300 although I've already downloaded 5400 (which wasn't out when I submitted those tickets btw) and I don't see anything specifically about that but it's easy to lose things in release notes...
It may not even be documented (though that would surprise me). As I say, I've not read them recently either. It will be under UPN if anything in the device encryption release notes if anything I expect though.
Ok, I installed 5400 and it still didn't work. Just for kicks I checked the sbgina.ini file and saw that the detect UPN option was commented out. Now I know I've enabled that in past tests but I'm guessing it was still not working correctly in whatever version I was using in the past.
But I've now tested it on two VMs and it appears to be working. 5400 + uncommenting the detect UPN parameter in sbgina.ini...
I'm going to do some tests on laptops now and see if they work although I'm pretty confident they will now!
I'm fairly confident that it is working on XP now... I've tested on multiple systems and it has worked each time!
Thanks for the help...
Now if I could only get it to work on vista happy