1 2 Previous Next 19 Replies Latest reply on Jan 27, 2009 11:09 AM by SafeBoot

    SSO Not Updating but only on some machines

      This seems to be a common issue, but I can't reproduce it on my test boxes. Supposedly there is an article on the KB with various SSO fixes but I was unable to specifically find this problem...

      Basically in all my test XP machines, I have no problem getting safeboot credentials to sync with AD credentials. I've tested cross-domain so this is not inherently the issue, however the 3 PCs I'm having problems with are in another domain (but I tested those specific domains in my test and they work)... I am running version 5.1.6...

      I've tried resetting the token but to no avail. One thing I noticed is that in the client log, there are 2 update lines when these affected PCs try to update the credentials... but on the ones that work, there are two SETS of two (for a total of 4) update lines regarding database SSO changes. I'm guessing thats the issue but I have no idea how to fix it.

      I've checked the registry entry (because they have the tools installed) and it does point to the proper client directory C:\Program Files\SafeBoot.

      I have one other hunch... We use Windows Complexity rules for our AD passwords and I've also check the Windows Complexity rules for Safeboot in the password template section. These 3 particular machines/users have all manually set their password in AD (they are all admins) and I don't believe they meet the criteria (can't be 100% sure of this)... If safeboot is looking for a complex password, and AD tries to sync it's non-complex password to the safeboot token - will it fail?

      thanks.
        • 1. RE: SSO Not Updating but only on some machines
          By way of update... I unchecked the Windows Password rules from safeboot users, and it still worked on my test machines - that is ruled out. Apparently I'm still missing something...

          The update line I was talking about previously are as follows... On the machines that work:

           

          11/26/2008 12:03:15 PM Updating database token data with local changes for user (ID=0000004a)
          11/26/2008 12:03:15 PM Updating database token data with local changes for user (ID=0000004a)
          11/26/2008 12:03:15 PM Checking for SSO updates
          11/26/2008 12:03:15 PM Updating database SSO info with local changes for user (ID=0000004a)
          11/26/2008 12:03:15 PM Updating database SSO info with local changes for user (ID=0000004a)
          11/26/2008 12:03:15 PM Checking for hashes updates


          On the machine that doesn't:

           


          11/26/2008 11:16:05 AM Updating database token data with local changes for user (ID=00000034)
          11/26/2008 11:16:05 AM Updating database token data with local changes for user (ID=00000034)
          11/26/2008 11:16:05 AM Checking for SSO updates
          11/26/2008 11:16:05 AM Checking for hashes updates



          So it's just not updating the SSO in the database. I don't know where else to look for why this could be.
          • 2. RE: SSO Not Updating but only on some machines
            You've probably already done most/all of this but....
            1. Have you confirmed that the devices in question have exactly the same settings selected in the SB Admin console as your working test devices?
            2. Does the same issue exist if one of these users logs into one of your working test devices?
            3. Confirm the GINA chain is the same for the devices working and not working (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
            4. Do you use Novell or Windows login? If it's Novell, compare client versions. Different versions may require changes to the sbgina.ini.

            Hopefully something here helps.
            • 3. RE: SSO Not Updating but only on some machines


              1. This I have confirmed
              2. I have not tried this specifically. Unfortunately the users in question are not on site. I can try one of the users that I know works on their machine, I guess that's a good test as well. I will try this today if possible.
              3. I'm not sure I understand what you mean by GINA chain. I can confirm that they are both using sbgina.dll, but i'm not sure what else I'm looking at in the registry area. One thing I noticed is that affected user has an entry for default user name as his UPN (which we use here) and nothing for default domain - while the entry for the user that does work has an entry for user name as the first part of the UPN (without the @domain) and the appropriate domain in the default domain key. I don't know if this is relevant or how to change it (or where it came from).
              4. It's Windows :)

              Thanks for the help...
              • 4. RE: SSO Not Updating but only on some machines
                Ok I've figure out the problem...but I still don't have a solution.

                The problem is that at my company, we have different pre-2000 (short) names than UPN prefixes. So basically if the user's name is Test User, we would have test_user@domain.com for the UPN and domainchild\usert for the pre-2000 name...

                But when safeboot handles UPN (at least with my setup), it strips the UPN prefix off of the UPN and tries to log into windows with the prefix as the username, the password, and the domain from the drop-down box (not after the @)... This doesn't work for all of our real users, only for the test user I created (because I mistakenly didn't mirror our environment with regards to our conventions...

                Is there a way to fix this by specifying HOW safeboot picks apart the UPN? Is this a bug? Or is it just the way it's going to be? Because this is a huge problem for us :(

                Thanks
                • 5. RE: SSO Not Updating but only on some machines
                  You may just be in luck. Pasting info from Device Encryption v5 Release Notes.pdf from SafeBoot Build 5400. This is referenced under Technical Information from Previous Releases, Reference: 5300.17. May want to just scroll to the Examples section at the end. If this is what's missing you'll just need to update sbgina.ini within the Client Files group in SB Admin and wait for devices to sync.

                  Let us know how it goes.

                  ------------------------------------------------
                  Added Support for User Principle Names (UPN) in combination with our
                  Single-Sign-On

                  We have added a new option to our SBGina.ini logon file to allow the
                  UPN names to be handled with our Single-Sign-On module.
                  New section in SBGina.ini:
                  [Global]
                  Option.Username.DetectUPN=Yes
                  Option.Username.IncludeDomain=Yes
                  ;
                  ; These options control how the user names are treated when they
                  are compared.
                  ; The UPN (User Principal Name) format is of the form
                  user@domain.com.
                  To
                  ; successfully compare the user names, the format needs to be the
                  same for ; both the Windows and SafeBoot names.
                  ;
                  ; Note that Windows will always supply the user name to the
                  SafeBoot Gina; module in its split form (i.e. not in the full UPN
                  format).
                  ;
                  ; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if
                  the ; user names are in UPN format by looking for an "@" character.
                  If this is; set to any other value, SafeBoot will not manipulate the
                  user names in any; way.
                  ;
                  ; If UPN detection is enabled, then the IncludeDomain option
                  determines how; SafeBoot compares the names. If the option is set
                  to "Yes", then the full; UPN names are compared. If it is set to any
                  other value, then only the user ; name portion is compared.
                  ;
                  ; Examples:-
                  ;
                  ; With DetectUPN=Yes and IncludeDomain=No ; ; SB user name =
                  "user@domain.com"
                  ; Windows user name = "user"
                  ; Windows domain = "domain.com"
                  ;
                  ; Comparison will be between SB="user" and Win="user".
                  ;
                  ; SB user name = "user"
                  ; Windows user name = "user"
                  ; Windows domain = "domain.com"
                  ;
                  ; Comparison will be between SB="user" and Win="user".
                  • 6. RE: SSO Not Updating but only on some machines


                    absolutely - if the Windows password does not meet the SafeBoot criteria, it will be rejected. You need to make the criteria the same in both cases, OR make the SafeBoot ones more lenient than the Windows ones (after all, the user will most often be setting their password in Windows).

                    The test I suppose is to ask them to manually change their SafeBoot password to match their Windows password (in the pre-boot screen), and see if it throws them a complexity error.

                    S.
                    • 7. RE: SSO Not Updating but only on some machines


                      Hmm...ok this seems like it might apply. I had to add the line about Include domain and went to test it but it seems I'm running into another problem. Right now it is not updating the SSO credentials at all. It seems I run into this problem a lot. Things work for a bit...while I'm testing...then in the middle of one of my test it becomes impossible for me to get the SSO details to be saved to Safeboot. I guess I'll do what I always do and create another test scenario and see if it works from scratch. Why is it that Safeboot seems like such a puzzle to me? I understand how it is supposed to work and all my settings are the way they should be, but everytime I go through this some other piece of information is "revealed" that may affect this product working. It kind of wears on you after a while...

                      Thanks for the info though, I will let you know how it goes...
                      • 8. RE: SSO Not Updating but only on some machines
                        Ok here is the latest... changing those options did not seem to have any effect. Even if change the short name back to be identical, it suddenly seemed as though it wouldn't write sso credentials. The only way I can get the test box to work now is to uncheck Must match windows user name.

                        What concerns me, is that I read somewhere in safeboot documentation that windows always feeds the user name (without @domain) to the safeboot gina regardless of the method used. I think this is my problem...consider this scenario:

                        1. AD UPN name is user@domain.com
                        2. AD Short name is user_1 (I did this because it mirrors our environment in that they differ)
                        3. *KEY POINT - All of my safeboot user names are the actual upn (we use the connector and pull userPrincipalName)
                        4. If the user portion of the UPN differs from the short name, safeboot sso will never work correctly with "Must match Windows user name" because windows is always passing the _1 name i created and that is not a user in safeboot.
                        5. If they are the same it will work...

                        The only way I can see this being solved (if Windows XP truly will always pass the short name), is to have the AD connector bring the short name over and use it as the safeboot login. This appears to be a deal-breaker because we instruct our users to log in with UPN. If the safeboot user name was changed they would have to log into safeboot with the shortname, period. Now this will differ from how they log in everywhere else.

                        Am I right in my logic or have I missed something? Is it true that there is no way to have Windows pass the full UPN to safeboot? If that is true, then you can't use Safeboot, SSO, and UPN together under ALL conditions. Only for those instances where UPN "user" matches shortname user.

                        I'm going to open a ticket about this today...but I feel that it will be a while until I get to someone who can follow that convoluted scenario....
                        • 9. RE: SSO Not Updating but only on some machines
                          Are you running Build 5400 (on server and the clients)? A few major UPN and SSO issues have been resolved in B5300 and B5400.
                          1 2 Previous Next