2 Replies Latest reply on Feb 17, 2009 2:07 AM by gjr11973

    SSO Question

      Hi,

      We are in the process of implementing Safeboot 5 on our new laptop (XP SP3) estate. We would like to have all the Windows Logon options ticked in the Admin console for the machines to enable SSO to take control of Logon and Lock requests etc. All going ok until we came across the following scenario that has got us scratching our heads. Wondered if anyone has come across this before.

      Here is the scenario

      The user's AD password has changed since they last used the laptop, ie on a desktop in the office. They take their laptop home boot machine stand alone (ie not networked). Safeboot performs single sign on and logs on to windows with the locally cached (old) Windows password ok. The user then establishes a VPN connection to the office. If a network resource is connected (shared drive etc) Windows will then prompt user "Windows needs you current credentials" instructing to lock and unlock the machine with the new windows password to update the locally cached details. This is the problem. Safeboot intercepts the unlock request and prompts for IT's password. You cannot enter the current windows password to update the local cache.

      We could turn off the "Require Safeboot logon" option which hands back control of the unlock screen to Windows, but our Security team are keen to keep this in place to stop brute force type attacks if the laptop were lost while in Standby

      Are we missing something obvious?

      Any help would be appreciated.
      Thanks
        • 1. RE: SSO Question
          Logout, when you log back in there's a tick box for automatic Windows Login - clear it and you'll see the normal Windows Login box you're looking for (After logging in to SafeBoot)
          • 2. RE: SSO Question
            Thanks for the reply. Yes, logging out would be ok if you were logging back on to the network. However in the scenario we're looking at the user is remote meaning that only the old windows password would be accepted at that point, unless they then did a change password at logon. I guess if this is the way it works, that's fine. Just wanted to check there was no way of updating the windows password while logged on as this would have been more seamless to the users.