7 Replies Latest reply on Jan 6, 2010 9:24 AM by SCtbe

    Multi domain environment

    SCtbe

      Did someone sucesfully tested using EEPC in more than one domain?

      Asume scenario:

      We have two domains (ePO server is in one of them). Users from both domain should be able to logon to machine in PBA.

      Everything is set according to manual - both DC are added to registered server, task are created, users are assigned to machine.

      Problem is that uses from one domain can logon (this one with ePO), but from the second, not - "Unknow user" is diplayed in PBA.

      I use samaccount field for useres from both domains.

      I don't know how to check on workstation, what name have users from second domain.

       

      Thanks for help.

       

       

      on 1/6/10 8:09:43 AM CST

       

       

      Message was edited by: SCtbe on 1/6/10 8:10:52 AM CST
        • 1. Re: Multi domain environment

          Can you explicitely add specific users from each domain using "Menu" -> "Data Protection" -> "Encryption Users" ?

          Select System then add users browsing through "Select Users" window. Switch between domains using "Look in:" dropdown list.

          • 2. Re: Multi domain environment
            SCtbe

            Yes, I can.

            I can chose and assign users from both domains.

            • 3. Re: Multi domain environment

              What did you configure in Server Task for "EE LDAP Server User/Group Synchronization" in "User Name" field?

              Did you also check Server Task Log for above Server Task?

              • 4. Re: Multi domain environment
                SCtbe

                I already wrote, I used "samaccountname" in "User Name" filed in synchronization task for both servers.

                Both tasks complete succesfuly.

                • 5. Re: Multi domain environment

                  Assuming that you refreshed ePO policies from your client.

                  Then enable EE plugin logging in your client PC and search for assigned user names (text preceeding </name></users>).

                  That should give you some clues.

                   

                  Logging is enabled in 32-bit Windows by this registry entry:

                  [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee EndPoint Encryption\MfeEpeHost\Configuration]
                  "LoggingLevel"=dword:00000004

                  Log file should be by default in:

                  C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log

                   

                   

                  on 1/6/10 10:07:22 AM EST
                  • 6. Re: Multi domain environment
                    Arjen

                    have you also created a user based policy for all users in the second domain?

                    If there is no policy assigned to them, EEPC does not know which token they are using to authenticate.

                    • 7. Re: Multi domain environment
                      SCtbe

                      Ok, I was my fault. Users from second domain have not disebled firewall, where EEPC requires by default  8081 port to be opened on client machine for incomming connections.

                       

                      Apologize for unnecesary confusion.

                       

                      But one still wonder me. How to distinguish (how EEPC in PBA recoginze) user, for example when we have the same user name (samaccountname field) in both domains assigned to one machine.

                       

                       

                      Message was edited by: SCtbe on 1/6/10 4:24:09 PM CET