7 Replies Latest reply on Aug 5, 2009 11:38 AM by SafeBoot

    AutoDomain and 2 factor authentication

    ArnsteinLangnes
      I have a customer using Aladdin eToken as 2 factor.
      Today running AD connector against AD groups to get users created in the EEPC database. Then assigning user groups to machine groups in the configuration.
      Meaning many users to all machins causing long sync time and load on the server.
      Installation of the machines are fully automatically using Config Manager. User connects to the network on his first startup and uses his eToken to pass through Preboot (his user is synced out to the machine as part of the installation) and log in to the Domain to get his windows profile created.

      Can we use Autodomain here to add only the actual user?
      Does this permit multiple users on one machine?
      Can this remove "old users"?
      Can you control from which user group the Autodomain script can get the user to add to the local machine?
      Where can I download of the Autodomain script and help info?

      Plan to upgrade to 5.1.8/5.1.9 (Which should be the same on EEPC??) Or if 5.2 appears in the very near future.
        • 1. RE: AutoDomain and 2 factor authentication
          Can we use Autodomain here to add only the actual user?

          >yes

          Does this permit multiple users on one machine?

          >yes

          Can this remove "old users"?

          >not at the moment, it only adds users.

          Can you control from which user group the Autodomain script can get the user to add to the local machine?

          >not really, it adds user accounts which match the current cached profiles, so if you are logged in as "foo" it will add the EEM user "foo".

          Where can I download of the Autodomain script and help info?

          >You can get it from McAfee platinum support or your services guy
          • 2. RE: AutoDomain and 2 factor authentication
            ArnsteinLangnes
            Thanks for the Info.

            I have a few follow up questions. (I have not got hold of this yet)

            When the machine is installed, the EEPC is ready and machine is fully encrypted (I assume).
            Then the machine is sent to the user for the first logon.
            Do he need to run Recover by help of the Helpdesk to be able to start up the machine, or can this be done in a way to avoid this?

            Will the cached user be added to the pc at the first logon, so that this is ready to use at next startup?

            Can you build in some checks to verify that the user is added to the PC. I guess this action will need communication to the Database, and if this is not replying timely I am worried about the stability of the solution.

            Does this work on Windows 7?
            • 3. RE: AutoDomain and 2 factor authentication
              AutoD will ask the user what their password is and set them up if you deploy in autoboot mode - most people are encrypting existing machines though, not fresh ones?

              yes

              yes

              yes
              • 4. RE: AutoDomain and 2 factor authentication
                ArnsteinLangnes
                OK.
                I am a bit unsure how this is working since the Password for a user is set on the eToken when this is generated.(2 factor)
                So in most of the cases the user will get their new token and the new Installed PC shipped. Then he will start from here.
                Do you see any issues in such a scenario?
                Machines should be fully encrypted as part of the installation.
                • 5. RE: AutoDomain and 2 factor authentication
                  The user will already know the token pin, and the user will already exist (because you would have had to manually create them and create the token for them).

                  You need to make sure you don't confuse "user creation" and "user assignment" - the former is where you will set the pin for the user, the latter is something autodomain can do for you.

                  BUT

                  if you're already going through the effort of installing EEPC, creating tokens for the user etc, why would you need autodomain at all? Surely you know who's machine you are making, why not just do the user assignment then?

                  Are you using eTokens in PKI mode or stored value mode?

                  Your environment is more complex than most, you're probably best of paying for some professional services time than trying to work this out on your own.
                  • 6. RE: AutoDomain and 2 factor authentication
                    ArnsteinLangnes
                    We use etoken in Stored Value mode.
                    We user AD COnnector to transfer users from dedicated AD groups. This is OK
                    Then since the customer wants that all users should be able to logg on to any machine, we have to add all user groups to the machine groups. This cause lot of syncing when the number of users increase.

                    Then this customer do not like manually work of assigning users to individually machines. So I hoped that Auto domain would help me in this process of automatically assigning them to the machine.

                    I do beleieve this should be solvable but need to be tested of cource.

                    Regarding Tech experts on EEPC and Scripting Autodomain we have lack on theese here in Norway /Nordics..... Any suggestions who could be assisting here. Also Performance tuning assistance would be helpful.
                    • 7. RE: AutoDomain and 2 factor authentication
                      you can get the performance instructions from your McAfee people, though it is documented in the EEM Administrator guide.

                      Seeing as all your users will already be created in EEM, AutoD won't have to create anyone, so won't need to ask the user for their password.

                      So yes, it will do all the assignment work for you.