1 2 Previous Next 14 Replies Latest reply on Mar 7, 2011 4:48 AM by mirrorless

    Password sync issue

      Hi,

       

      we have the problem that users which change their passwords on PCs without EEPC are not synced when they logon on a EEPC afterward.

       

      We are using EEM and EEPC 528.

       

      I did the following test:

      Changed the password on a PC with EEPC. Password was synced successfully. The notification utility popped up.

       

      Then I changed the password on a domain controller.

      Did a sync on the laptop.

      Reboot.

      Used old password on the PBA.

      Windows logon with new password.

      No notification

      Manual sync.

      Reboot.

      Still old password in the PBA.

       

      Any ideas anyone?

       

      Oliver

        • 1. Password sync issue

          Hi,

           

          maybe anyone who can confirm my problem or anyone who is able to sync passwords in this way?

           

          Oliver

          • 2. Password sync issue

            Hi

             

            I haven't had much luck with passwords synching either, when the AD password is changed it doesn't synch with EEPC immediately. [ 40 -50 users ]

             

            For some users it takes 15 mins and others it can take hours. Although all machines are encrypted with same procedure and 80% of the machines have same configuration as well.

            • 3. Password sync issue

              the interesting thing is, it will either happen RIGHT AWAY, or not at all - it can't happen "some time later". The network provider module responsible for picking up the change is hooked right in there, so if its missing the password won't sync, if it's there, it will.

               

              15 microseconds later, or minutes or whatever is too late - the event has passed.

               

              So, check the network provider is hooked in in the registry - most problems around this topic are beause policy, or software such as HIPS and firewalls turned the NP off, or stopped it adding itself to the registry.

              • 4. Password sync issue

                And what about my problem?

                 

                Is it a general behaviour that passwords wont be synced when they are changed on a machine without EEPC?

                • 5. Password sync issue

                  In your situation changing the WINDOWS password outside the EEPC environment, the only time it's going to get synced back to the pre-boot is when the SSO creds fail, or a local change password event occurs.

                   

                  The problem you are experiencing is that Windows is quite happy to accept the old password and authenticate using cached credentials until such a time that the local Windows token from the domain controller gets updated - it only looks for an update occasionally, and when the user types something that locally seems incorrect.

                   

                  I think you can force domain side password authentication when connected to the network with a GPO setting if you want to tighten this up. Otherwise you have to wait for Windows to decide that the old password is now incorrect.

                  • 6. Password sync issue

                    I dont know if I understood you completly. I will have to think about this and come back after some tests next week.

                     

                    Thank you

                    Olli

                    • 7. Password sync issue

                      If I understood you right, it is not possible.

                       

                      When I change the GPO Interactive logon: Cached credentials, then users without a connection to a DC cannot logon to windows.

                       

                      And on the other hand, when the user is connected to the network and a DC the differing passwords are not recognized. That is what I tested.

                       

                       

                      I dont think, that I really understood the following:

                      The problem you are experiencing is that Windows is quite happy to accept the old password and authenticate using cached credentials until such a time that the local Windows token from the domain controller gets updated - it only looks for an update occasionally, and when the user types something that locally seems incorrect.

                      Olli

                      • 8. Password sync issue

                        Hi Ollit

                         

                        Can I ask how you know (in original post) that you are logging into Windows with the new password?  Does the SSO fail and Windows then accepts the new password?  BTW what is the client OS?

                        • 9. Password sync issue

                          Hi Ged,

                           

                          we do not use SSO. I tried SSO with 5.2.6 but it was very astonishing. We have some users which have to authenticate with a smartcard in windows and interestingly the SSO did not ask for a smartcard and the user was logged on without using his smartcard.

                           

                          At the moment the user has to authenticate twice, once at the PBA and the Windows.

                           

                          Olli

                          1 2 Previous Next