8 Replies Latest reply on Nov 22, 2010 1:11 AM by mreco

    EEPC 6.0.2 Questions

    mreco

      I realize my last post was a bit too much information, so I've rephrased my questions about EEPC 6.0.2 in short:

       

      1. The user is not able to disable single-sign on. In the release notes is says the ePo console shows this option, but it is not implemented. Will this be implemented in future versions?
      2. After a password recovery and reset in preboot authentication, the user is not automatically logged on in Windows (with his cached credentials). Will this be changed in future versions? In version 5.1.8.0 this was the case: the user was logged on with his cached credentials in Windows. In 6.0.2 it seems the SSO details are reset after a recovery.

       

      Thanks.

        • 1. Re: EEPC 6.0.2 Questions

          1. Yes, most likely

           

          2. No - this is the way most people wanted it to work - the thought is that most of the time the two passwords are the same, so if the user forgot one, we should make them change the 2nd as well. peter_eepc was a particularly vocal supporter of this change if I remember.

          1 of 1 people found this helpful
          • 2. Re: EEPC 6.0.2 Questions
            mreco

            1. Good to hear that.

            2. I agree with you that after a reset of the user password in the preboot authentication, the SSO details should be reset: the user has forgotten his password, so it would be weird if that user would be logged in in Windows with a password he doesn't know.

             

            However, this comes in handy (hence my question) when the user is at home: he recovers his password in preboot authentication, is logged on to Windows with his cached credentials, has his Windows password reset by a servicedesk employee and sets up a VPN connection (with his new Windows password). He then changes his password in Windows (over VPN) and the passwords are in sync again.

             

            The way it works now (in 6.0.2) is when a user does a recovery in preboot authentication, he's stuck at the Windows prompt. Any ideas on how to overcome that issue when the user is at home? Even if his Windows password is reset by a servicedesk employee, the computer will never be able to verify it, because there's no connection with a domain controller.

             

            By the way, I also dropped this question with McAfee Support and they say both issues will be resolved in a new release: 'The questions you have mentioned below are currently not resolved in EEPC 6.0.2 release, but those will be resolved in feature release.'. Who should I believe?

            • 3. Re: EEPC 6.0.2 Questions
              mreco

              One more question regarding this: in Windows XP, the default Windows XP logon screen is shown when SSO was reset after a recovery. In Windows 7 the default Windows 7 logon screen is replaced by another logon screen. We use an extra 'Password Reset' option, that is shown in the logon screen. In Windows XP, this button is still shown (because the same logon screen is shown). In Windows 7, that button isn't shown, because the logon screen has been replaced. Will the original Windows 7 logon screen be shown in future releases? Or is this by design and it is impossible to use the standard Windows 7 logon screen to capture the credentials for SSO in EEPC?

              • 4. Re: EEPC 6.0.2 Questions

                How would you resolve pasword reset for remote Windows VPN user if EEPC was not even installed?

                • 5. Re: EEPC 6.0.2 Questions
                  mreco

                  We wouldn't have a solution for that. The user would be locked out.

                   

                  That's why we liked the way it worked in Windows XP with EEPC 5.1.8.0: the user would be logged on with SSO.

                  • 6. Re: EEPC 6.0.2 Questions

                    That is clearly MS issue. You should look for more generic approach then just using EEPC as credential storage.

                    • 7. Re: EEPC 6.0.2 Questions
                      mreco

                      I know it's a MS issue, that's why I'm stuck here :-)

                       

                      I'm never able to logon to my computer with my domain account if I don't have a domain controller connection (after the servicedesk reset my password on a domain controller).

                      • 8. Re: EEPC 6.0.2 Questions
                        mreco
                        In KB66700 (updated September 23, 2010) it says the following:
                        Single Sign On (SSO) is a critical feature for my environment. Are there any changes to how this works in version 6.0?
                        No. SSO will work in the same manner in version 6.0 as it did in version 5.x.  It will continue to work with other non-Windows GINAs in the same way as in version 5.x. There are no changes to the way it captures and synchronizes the Windows password.
                        We've been testing on Windows 7 with EEPC 6.0.1 and found three differences in the way SSO works:
                        1. A user is now unable to cancel Single Sign On;2. After a password reset, the Single Sign On details are cleared;
                        3. We use Anixis Password Reset tooling, this places a button in the Windows logon screen, which allows you to go to a website to reset your Windows password. In Windows XP this did work, in Windows 7 not anymore.
                        Point 1 has already been answered: it's likely to be fixed in version 6.0.3. (confirmed by McAfee Support)
                        About point 2, forum says that's the way it's designed in version 6, McAfee Support says it will be fixed in a future release.
                        Point 3 is something we found out later, how will this be handled in future releases? The KB article says it will work in version 6.0, although it doesn't.