3 Replies Latest reply on Jun 2, 2009 12:35 PM by petr.bohac

    Weird behavior of SSO

      Today I encountered a very strange issue with EEPC (5.1.8, XP SP3) and would like to know what do you think what might be the problem.

      1) User forgot his password and locked it out while he was working in Windows
      2) I've created a new token for him (from within management tool) using default EE password and forced sync with his laptop
      3) rebooted his machine and logged in pre-boot with default 12345

      After that the passwords should not match and SSO shouldn't work but he was successfully logged into Windows and was able to browse network, use Outlook etc.

      So my question is how it is possible that he was able to logon to Windows with 12345 password? Even after another reboot it worked that way ... until I checked "User must change password at next logon" in AD MMC snap-in.

      All the SSO options are enabled.
        • 1. RE: Weird behavior of SSO
          why would SSO not work? EEPC knows what the users Windows password is (it's a separate credential)?

          If the user forgets their EEPC password, that does not change the stored SSO information - you can clear that with the user right-click menu if you like though.
          • 2. RE: Weird behavior of SSO

            This has been talked about in a few different threads with many points of view - but the end result is that EEPC does not "forget" your SSO details just because you reset the EEPC password. The user will now know their new EEPC password, and EEPC will know their Windows password.

            This makes it a huge pain for non-IT users who don't realize that their "login password" isn't their "AD/Netware/whatever" password and they try and use it to access network resources such as OWA, or things that rely on their AD password.

            • 3. RE: Weird behavior of SSO
              Okay, it makes a sense ... however I agree with Chris that it might be confusing for non-IT users. To be honest I have even troubles with IT guys as they don't bother to read any docs I made for them.

              Thanks both of you