9 Replies Latest reply on Mar 5, 2010 1:03 PM by satsmi

    User change AD password on a non encrypted machine

      I'm trying to troubleshoot a problem faced by one of our endusers. Here is a brief scenario:

       

      1. Laptopx is encrypted (SSO enabled) with a machine policy and has JSmith and DBrown users added to it.
      2. JSmith and DBrown can preboot with their respective AD user ids and password
      3. JSmith has a desktop (not encrypted) and he changed his windows password (using Ctrl+Alt+del)
      4. JSmith tries to login Laptopx with the new password and (obviously) it fails as the Encryption Manager is not aware of the new password
      5. DBrown logs in at the preboot with his credentials, logs off and gives the Laptopx to JSmith.
      6. JSmith is able to login at the windows with the new windows password.
      7. After logging in, JSmith initiates the Encryption synchronization thinking that this new windows password will be updated locally and also pushed to the Object Directory.
      8. Reboots Laptopx and tries to login with the new password. He get a Authentication incorrect error. Tries to login with old password --> able to login, but stopped at the windows interactive logon, keys in the new password and tries to sync again. Reboots again and tries again.....SAME story...

       

      Could anyone of you help. How to fix this...?

       

      I'm attaching snapshots from the client log.

       

      From SBClientLog

       

      3/3/2010 7:21:18 PM    Adding user (ID=00000d4f) JSmith [First sync, the new user gets added to the endpoint]

      ---------

      ---------

      3/4/2010 10:52:44 AM    Checking for token data updates
      3/4/2010 10:52:53 AM    Updating database token data with local changes for user (ID=00000d4f) [First time logs in with default password and then with windows password]
      3/4/2010 10:52:55 AM    Checking for SSO updates
      3/4/2010 10:52:59 AM    Updating database SSO info with local changes for user (ID=00000d4f)
      3/4/2010 10:53:00 AM    Checking for Local Recovery updates
      3/4/2010 10:53:05 AM    Checking for hashes updates
      3/4/2010 10:53:06 AM    Transferring local audit information to database
      3/4/2010 10:53:14 AM    Checking for file updates
      3/4/2010 10:53:19 AM    Applying configuration
      3/4/2010 10:53:19 AM    Synchronization complete

       

      Today's log:

       

      3/4/2010 1:40:37 PM    Updating database token data with local changes for user (ID=00000d4f) [Noticed after the step 6 and 7]

        • 1. Re: User change AD password on a non encrypted machine

          Do not use SSO if multiple PCs are used by the same user?

          • 2. Re: User change AD password on a non encrypted machine

            peter_eepc.....I do understand...but this is not the case with most of the users.

             

            I  was not sure why preboot did not work, though I notice that the new password is getting updated as a change...

             

            Can anyone help...

            • 3. Re: User change AD password on a non encrypted machine

              The pre-boot password will get set to the users windows password during two events a) a change password event b) a failed SSO event. If the user changes their password on a different machine, we won't capture it, and also if the SSO details are still valid (with cached credentials etc), that won't cause a change either.

              • 4. Re: User change AD password on a non encrypted machine

                So is the fact that user changed his AD password on non-EEPC machine cause for all this trouble?

                • 5. Re: User change AD password on a non encrypted machine

                  I guess so, changes on a non-EEPC machine won't be seen by the EEPC environment.

                  • 6. Re: User change AD password on a non encrypted machine

                    That is bad news then. Is there in SSO related section of EEPC documentation, a warning that this can happen?

                     

                     

                    Message was edited by: peter_eepc on 3/4/10 9:17:19 PM EST
                    • 7. Re: User change AD password on a non encrypted machine

                      There's a chapter in the EEPC guide on Windows Login if I remember, but I don't think we say anything about non-EEPC machines? It would be strange to do so?

                       

                      I thought everyone would realize that things you do on machines which have no product on them would be invisible?

                      • 8. Re: User change AD password on a non encrypted machine

                        It would be "strange" indeed. McAfee is often silent when it comes to explaining situations which are detrimental to their product.

                        A very "natural" approach. But users not only suffer because of product deficiences, they also suffer because of lack of proper documentation to support purchased product. At least KB article should be raised for this.

                        • 9. Re: User change AD password on a non encrypted machine

                          I agree that user should not change their password on a non-EEPC machine. However think of a large enterprise that has several 1000s of endpoints (including desktops, other tablets), where users may decide to change their regular WINDOWS PASSWORD on one of the machines that they work on (non-encrypted), typically when they see the windows notification, that they are suppose to change the password now or within few days and then when they sign in the a preboot (SSO) enabled endpoint, they know that their new windows password won't be synched and so, they login with their old preboot password. However at the windows logon level, when they are stopped, they will login with their new windows password and if they sync, now, the EEPC is SUPPOSED to cache this new windows password and communicate to the object directory and consecutive shutdowns should use this new windows password. If this does not work, it messes my understanding.

                           

                          I really wish the McAFee documentation atleast dedicated one page for the do's and don't of windows password change, SSO, Preboot Password sync etc., Since you're in the 'influential' position I feel, you could really communicate this to the product manager. It would really help a lots and lots of customers like me, who have an understanding of how things work in a SSO (to some extent), but then, some scenarios like this come and mess our understanding and we don't know why things happen that way and find it difficult to troubleshoot. I have seen a best practices guide for EEPC, even if that guide has a page dedicated to best practices reg password sync/ resets, that will save a lot of McAFee support time. My 2 Cents........

                           

                           

                          Message was edited by: satsmi on 3/5/10 1:03:48 PM CST