1 of 1 people found this helpful
1. Yes, most likely
2. No - this is the way most people wanted it to work - the thought is that most of the time the two passwords are the same, so if the user forgot one, we should make them change the 2nd as well. peter_eepc was a particularly vocal supporter of this change if I remember.
1. Good to hear that.
2. I agree with you that after a reset of the user password in the preboot authentication, the SSO details should be reset: the user has forgotten his password, so it would be weird if that user would be logged in in Windows with a password he doesn't know.
However, this comes in handy (hence my question) when the user is at home: he recovers his password in preboot authentication, is logged on to Windows with his cached credentials, has his Windows password reset by a servicedesk employee and sets up a VPN connection (with his new Windows password). He then changes his password in Windows (over VPN) and the passwords are in sync again.
The way it works now (in 6.0.2) is when a user does a recovery in preboot authentication, he's stuck at the Windows prompt. Any ideas on how to overcome that issue when the user is at home? Even if his Windows password is reset by a servicedesk employee, the computer will never be able to verify it, because there's no connection with a domain controller.
By the way, I also dropped this question with McAfee Support and they say both issues will be resolved in a new release: 'The questions you have mentioned below are currently not resolved in EEPC 6.0.2 release, but those will be resolved in feature release.'. Who should I believe?
One more question regarding this: in Windows XP, the default Windows XP logon screen is shown when SSO was reset after a recovery. In Windows 7 the default Windows 7 logon screen is replaced by another logon screen. We use an extra 'Password Reset' option, that is shown in the logon screen. In Windows XP, this button is still shown (because the same logon screen is shown). In Windows 7, that button isn't shown, because the logon screen has been replaced. Will the original Windows 7 logon screen be shown in future releases? Or is this by design and it is impossible to use the standard Windows 7 logon screen to capture the credentials for SSO in EEPC?
How would you resolve pasword reset for remote Windows VPN user if EEPC was not even installed?
We wouldn't have a solution for that. The user would be locked out.
That's why we liked the way it worked in Windows XP with EEPC 126.96.36.199: the user would be logged on with SSO.
That is clearly MS issue. You should look for more generic approach then just using EEPC as credential storage.
I know it's a MS issue, that's why I'm stuck here :-)
I'm never able to logon to my computer with my domain account if I don't have a domain controller connection (after the servicedesk reset my password on a domain controller).
In KB66700 (updated September 23, 2010) it says the following:Single Sign On (SSO) is a critical feature for my environment. Are there any changes to how this works in version 6.0?
No. SSO will work in the same manner in version 6.0 as it did in version 5.x. It will continue to work with other non-Windows GINAs in the same way as in version 5.x. There are no changes to the way it captures and synchronizes the Windows password.We've been testing on Windows 7 with EEPC 6.0.1 and found three differences in the way SSO works:1. A user is now unable to cancel Single Sign On;2. After a password reset, the Single Sign On details are cleared;3. We use Anixis Password Reset tooling, this places a button in the Windows logon screen, which allows you to go to a website to reset your Windows password. In Windows XP this did work, in Windows 7 not anymore.Point 1 has already been answered: it's likely to be fixed in version 6.0.3. (confirmed by McAfee Support)About point 2, forum says that's the way it's designed in version 6, McAfee Support says it will be fixed in a future release.Point 3 is something we found out later, how will this be handled in future releases? The KB article says it will work in version 6.0, although it doesn't.