1 of 1 people found this helpful
In my experience with SSO, which admittedly was a few versions ago, there was not an automatic synch on machine1. So what you would end up with is an updated EEPC password on machine1, which would synch to the database at the next synch interval. Assuming that machine2 is online, then the next time machine2 synchs it would pull down the updated password. If machine2 is off-line, the user would have to use the old password, to get logged in to the machine, which could then synch the password. Same with additional machines.
Don't quote me on this part, but I think you might want to check the "Do not lock workstation if no user is authenticated" option as well. If you don't, if the user is authenticated with the old password, and a new password is pulled down, I believe that the machine will lock, and the user will be forced to re-authenticate with the new password. Not a huge deal, but if your users are like my users, it's the end of the world.
Where it gets fun is when the user changes the password on machine1, but machine2 is offline. The next time they try to authenticate to machine2, they don't think to use the old password, so they call the helpdesk. The helpdesk, being ever so helpful, performs a user recovery and the user resets their password on machine2. Now the password on machine1 is wrong again. Wash, rinse, repeat...
Thanks for the post. This was my suspicion would like to get one of the mods to confirm this.
I guess to reduce impact this may be a reason to consider increasing sync intervals. SSO can be so good but boy its tough to get your head round and then implement and maintain.
We found that SSO actually caused more confusion in our environment when we first looked at it back in version 5.1.1. Because we had so many users using multiple machines, it was jsut not manageable. We eventually started telling our users something like this, "Your SafeBoot password and Windows password don't know anything about one another. You can set your SafeBoot password to be the same thing as your Windows password if you like, but know that when you change your Windows password, your SafeBoot password will not change automatically." We also disabled the "password expires after XX days" option in SafeBoot/EEPC.
That puts the choice into the users hands, which the users seem to like. Some choose a compeletly seperate SafeBoot/EEPC password, some set it to match their Windows account.