2 Replies Latest reply on Mar 9, 2009 4:54 PM by supersta

    Single Sign-On - Windows Vista question

      We are testing EndPoint on Windows Vista and intend to use the Single Sign-On functionality. I have noticed that we need to have all the "Windows Logon" settngs enabled, can McAfee confirm if this is correct and if there are any limitation of SSO under Vista?

      One scenario we are struggling with in our test environment is when a user has forgotten their EndPoint PBA password and therfore their domain password too.

      Scenario: User has only one primary machine with EndPoint installed and SSO configured (All 7 "Windows Logon" options are ticked in the in MEE Manager). Users PBA and domain passwords are in synch and user is able to login at PBA with a password and MEE manages the single sign-on.

      This is the sequence of events we would expect to see:

      1) User cannot logon to the PC at PBA as the user has forgotten the password. (User is connected to the network)

      2)User calls HelpDesk. Helpdesk locate the user account in Active directory and tick "User must change password at next logon".

      3) user cancels logon box, selects recovery and then user recovery. Enters username and generates a challenge code.

      4)Helpdesk provide response and the user is prompted to change password at PBA. User sets new password and then logs on with the new password.

      5) Windows loads and and the user receives message to change password.

      6) User sets new password and the Windows profile loads. User has successfully reset their password and both the domain and MEE PBA passwords are now in synch.

      The problem we have seen with this process is that step 5 doesnt occur. Instead the Windows profile loads up, eventhough the PBA password is different to the domain password and the Domain account has the "User must change password at next logon" option ticked. If we reboot again we are then prompted to change the password as we would expect. So to summarise the process goes to plan except we have to get the user to reboot one more time between steps 4 and 5.

      Can anyone explain to me why this is happening? My guess is that SSO is performing a cached logon without waiting for Windows to get a network connection and contact the domain controller.

      This problem occurs consistently. Is there a problem with my configuration or is there a better process to manage forgotten passwords in a SSO environment?

      Hope that all makes sense grin
        • 1. RE: Single Sign-On - Windows Vista question
          when EEPC logs on in Windows, it just fills in the boxes for the user and presses the OK button - It's up to Windows to decide whether to log on using the cached credentials, or to send it up to the domain server for validation.

          so, what you are saying is true, but the behavior is not up to EEPC - it's up to Windows.

          The best route would be to set the Windows password to something specific and tell the user what it is, then, when Windows eventually realizes that the password needs changing, the user will be able to do it. Should be on the logon after the machine has connected to the network.
          • 2. RE: Single Sign-On - Windows Vista question


            Thanks for the information, although that Windows behaviour really is annoying.

            I'm not sure what the benefit of setting a specific password is? If you force the password change at logon, the user does not need to know the current password as MEE supplies the cached credentials. Or am i missing something?