6 Replies Latest reply on Mar 7, 2011 4:54 AM by mirrorless

    Query about sync of pre-boot password when AD password is changed on non EEPC machine

      Hello

       

      (VERY noddy question).

       

      User Scenario

       

      Exmple Sceanrio:

      - User logs on to a desktop and also has laptop with McAfee EE on it

      - User changes their Windows (AD) password on the desktop

      - Users logs on with cached credentials to their laptop and uses it offline for a period of time

      - Then brings it back "online"

      - Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

      So

      - They enter their (old) credentials on pre-boot, then the new password to logon to the domain

       

      Will their pre-boot credentiails get "updated" to reflect their Windows logon credentials?

      If yes when / how (e.g. is this expected to happen after an EE "synchronize" has occured?)

      If no - what is the reccomended "best practise" to get this back in-sync (e.g. force a rest password on next boot?)

       

      Support Sceanrio

       

      Slightly different scenario but pretty much the same root cause.

       

      - Support people responsible for manging McAfee EE issues

      - Need credentials to logon to back-end etc

      - Only need to logon occasionally and are not using McAfee EE on their own machines

      - Their Windows (AD) password is changed on a regualr basis

      - Need to logon to the back-end and find their credentials don't work (i.e. are "out of sync")

       

      Is there a way for them to change their AD password and for it to remain in-sync with use with McAfee EE?

       

      Thanks

      -AL

        • 1. Query about sync of pre-boot password when AD password is changed on non EEPC machine
          rbdudani

          Will their pre-boot credentiails get "updated" to reflect their Windows logon credentials?

          -Yes, you have to select -Machines > Properties > General > Options > Set Endpoint Encryption Password to Windows Passpord

           

           

          Is there a way for them to change their AD password and for it to remain in-sync with use with McAfee EE?

           

          No, as said scenario as they are not using EEPC on thier machine. Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console.

          1 of 1 people found this helpful
          • 2. Re: Query about sync of pre-boot password when AD password is changed on non EEPC machine

            Hello

             

            This helps, but i'm really after a more precise / detailed response.

             

            i.e. we do have "Set Endpoint Encryption Password to Windows Password" selected.

             

            When / how does the pre-boot encryption password get set / "synced" with the windows password?

             

            So as per the scenario I described:

            User logs on to a desktop and also has laptop with McAfee EE on it

            - User changes their Windows (AD) password on the desktop

            - Users logs on with cached credentials to their laptop and uses it offline for a period of time

            - Then brings it back "online"

            - Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

            So

            - They enter their (old) credentials on pre-boot, then the new password to logon to the domain

             

            What is responsible for getting their pre-boot password synced?

            e.g.

            - Is this done via the GINA / Credential Provider?

            - Is it done by the McAfee EE service?

             

            How does the pre-boot password get "Set .. to Windows Password"

            e.g . Does the AD password somehow get captured or is it a hash of this?

             

            When does it happen?

             

            On the other response about support access:

            you said "Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console"

            The english is poor, but I'm "assuming" you're suggesting use of a "generic account"?

            IMHO use of genric accounts is "bad practise" and something most security departments would "discourage" or prohibit.

            I'd be surprised if there wasn't a better way to do this

             

            Best regards

            -AL

             

            on 03/03/11 16:44:16 CST
            • 3. Re: Query about sync of pre-boot password when AD password is changed on non EEPC machine
              rbdudani

              When / how does the pre-boot encryption password get set / "synced" with the windows password?

               

               

               

              So as per the scenario I described:

               

              User logs on to a desktop and also has laptop with McAfee EE on it

               

              - User changes their Windows (AD) password on the desktop

               

              - Users logs on with cached credentials to their laptop and uses it offline for a period of time

               

              - Then brings it back "online"

               

              - Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

               

              So

               

              - They enter their (old) credentials on pre-boot,

               

              then the new password to logon to the domain

              - At this point when McAfee Client Syncronize with server  (Clinet sync once on first boot), Password get change

               

               

               

              What is responsible for getting their pre-boot password synced?

               

              e.g.

               

              - Is this done via the GINA / Credential Provider?

               

              - Is it done by the McAfee EE service?

               

              - Not sure but, its done by McAfee EE Service with the Help of GINA/Crenential Provider

               

              How does the pre-boot password get "Set .. to Windows Password"

               

              e.g . Does the AD password somehow get captured or is it a hash of this?

               

               

               

              When does it happen?

              -When you logon to the domain with new passoword , McAfee Service sense the change of password and also update the token on Server

               

               

              On the other response about support access:

               

              you said "Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console"

               

              The english is poor, but I'm "assuming" you're suggesting use of a "generic account"?

               

              IMHO use of genric accounts is "bad practise" and something most security departments would "discourage" or prohibit.

               

              I'd be surprised if there wasn't a better way to do this

              - it up to individual, How one wants to manage,

              • 4. Query about sync of pre-boot password when AD password is changed on non EEPC machine

                Hi Al,

                 

                if you use:

                Set Endpoint Encryption Password to Windows Password

                you also need to use: Must match windows user name

                 

                Explanation: If you dont use the must macht option the following can happen:

                You logon with User A to PBA and User B to windows. Now what seems to happen is, that the windows password of User B ist written as PBA Password to User A. This caused us a lot ot trouble.

                 

                My experience with thy sync:

                If the PBA password differs from password stored in the EEM database, after the next sync the password in the database is written to the PBA. Means you have to logon to windows once at least and do a sync.

                 

                If a user changes his windows password on a machine with EEPC installed the above setting detects the differing passwords and changes the PBA password automatically and writes it into the database.

                 

                If a user changes his password on a machine without EEPC it seems that the differing passwords are not detected.

                But what I dont understand: If you do not use Must match... sometimes passwords are synchronized.

                 

                I am totally confused.

                 

                Olli

                • 5. Query about sync of pre-boot password when AD password is changed on non EEPC machine
                  rbdudani

                  Hi,

                   

                  Yes, You should I always use Must match username option.. otherwise you will fall into above said problem..

                   

                   

                  If a user changes his password on a machine without EEPC it seems that the differing passwords are not detected.

                  - Yes, If user changes his password on am machine wihtout EEPC, than you have to enter Last OLD password on machine where EEPC installed as there is no network connectivity at PBA screen . once you logged in and synchorize your new passowrd will be synch.

                   

                  What’s to be done if user change his/her Windows domainpassword?

                   

                  Some scenarios forchanging password

                   

                  Scenario 1: You are changing Windows domain password onthe same machine where EEPC(DE) installed.

                   

                  Whenever EEPC client will automatically synchronize & update the password entry. If you want to synchronize manually than rightclick on the SafeBoot icon on the system tray and click on synchronise optionas shown in the below screenshot.

                   

                   

                  Scenario 2: You have changed your windows password fromPASS1 to PASS2 on the different machine.

                  OR

                  Scenario 3: You are sharing your ID with some otheruser and that user has changed password for your SAP ID.

                   

                  Now you would try tologin with your new password (PASS2) in SafeBoot pre-boot authentication onyour machine. But you will get the error “Authentication parameters incorrect”,please enter your old password (PASS1) because your machine do not have latestpassword entry. So you must have to enter your last password only. Once windowsstarts you will be prompted for windows credential (Normal Windows Authentication) enter your ID and newpassword. Once you login with your new password on your machine SafeBoot Clientwill synchronize your new password and replace it with old one. From the nextrestart you can login with your new password (PASS2).

                   

                   

                   

                  • 6. Query about sync of pre-boot password when AD password is changed on non EEPC machine
                    mirrorless

                    From my understanding: McAfee Endpoint Encryption Password updated by McAfee EndPoint Encryption Client

                     

                    The password updated/capture by MEE client so basically when laptop with McAfee Endpoint Encryption AD password change the Client will catch this password and then sync to database and update the password same as AD password.

                     

                    So if you uninstall/decypted your laptop and not using MEE anymore your MEE password will remains same the last password you have. changing new AD password on system without MEE client will not have an effect to MEE password mean it's will not be changed.