5 Replies Latest reply on Nov 7, 2008 10:25 AM by SafeBoot

    User Password Expiration Breaks SSO

      We use SafeBoot v5.1.6 with SSO (Novell Gina).

      If the user's password expires, they will be forced by Novell to change their password immediately after a successful Novell login.

      The SafeBoot client does not register the password change, even after a forced synchronization. The next time the user reboots, they will be forced to authenticate using their EXPIRED password at the SafeBoot screen, then they will be dumped at a password failure Novell screen to manually enter their NEW password.

      SafeBoot will then pick up on the password change.


      Can anybody else replicate this issue using the Novell, Windows or SafeBoot Gina?
        • 1. RE: User Password Expiration Breaks SSO
          That's expected behavior as far as I've seen. SafeBoot SSO credentials are not tied directly to the password token, they're just additional information stored attached to the user's SB account. Even if you can fix your configuration so it updates the SB password on a Novell password change the SSO details will be incorrect at your next Novell login.
          • 2. RE: User Password Expiration Breaks SSO
            Does anyone have any ideas for a workaround? I would like to keep the login process as transparent as possible for 5000 end users!

            Current Problem:
            User Password expires & is changed
            SafeBoot does not recognize the changes
            User reboots
            User enters old password at SafeBoot Screen
            User enters new password at Novell Screen
            SafeBoot replicates password change
            • 3. Windows SSO options..
              What Windows Login options do you have ticked for your machines?
              • 4. RE: Windows SSO options..
                PROBLEM SOLVED!!

                A genius coworker located the problem yesterday. Installation of the SafeBoot Admin Console on an encrypted machine breaks the SafeBoot windows client's ability to detect password changes. Admin console installation changes the default safeboot path from "c:\program files\safeboot" to "c:\program files\safeboot remote console" in registry location:

                HKLM\Software\SafeBoot International\SafeBoot Device Encrpytion\ClientDir


                After Admin Console installation all password change updates are broken because the system is looking for SbClientHelper.exe file in the wrong location.
                • 5. MiniAdmin
                  Ah! - It's not so much installing the admin console, it's because you're using the unsupported MiniAdmin script in silent install mode (using the client installer module). If you used it in non-silent mode it uses the admin system install module.

                  Really, the only officially supported way of installing the admin system is to actually INSTALL the product from the official distribution. Miniadmin is a hack, and though useful, can cause this kind of malarkey.