1 2 3 Previous Next 27 Replies Latest reply on Jul 12, 2011 8:40 AM by SCtbe

    SSO Inconsistent - EEPC 6.1

      Hi Everyone,

       

      I've begun a rollout of EEPC 6.1 and Single Sign-on is working maybe 3 out of 10 times.  The other 7 times it leaves me at a Windows 7 login screen (not the McAfee login screen).

       

      Here's the setup:

       

      • McAfee Agent 4.5.0.1852
      • Endpoint Encryption Agent 1.1.0
      • Endpoint Encryptoin for PCs 6.1

       

      All of the clients are:

       

      • Windows 7 Service Pack 1
      • HP Hardware (8440p, 6930p, 6910p)
      • Not using Smart Cards - Password Only

       

      Our relevant settings are:

       

       

      • Do not display previous user name at log on (enabled)
      • Add local domain users (enabled)
      • Enable SSO (enabled)
      • Must Match User Name (enabled)
      • Require Endpoint Encryption logon (enabled)

       

      Based on some feedback from McAfee, I have already tried the following solutions:

       

      • Testing with new user accounts - same results on each one (about 6)
      • Testing on different machines - we have 8 for our pilot/POC - all doing the same thing
      • Reimaged a machine to a clean state and tried again - same issue
      • Removing the userCertificate field from the EE AD Sync Task
      • Disable the SmartCard Service and tried again - same issue

       

      Appreciate any help or feedback that anyone else can come up with.

       

      Thanks,

      Chris

        • 1. Re: SSO Inconsistent - EEPC 6.1

          Hi Chris,

           

          When SSO fails and you are left at the Windows 7 login screen:

           

          1)  do the Credential Tiles have the McAfee shield overlay on them?

          2)  do you have a Credential Tile for the last logged on user?

          3)  comparing the SSO that should happen at first logon (after a system boot) and subsequent logons / unlock - do they work / fail in the same ratio?

          4)  have you tried disconnecting the machine from the network to test if it is 'something' being synched to the machine that is affecting the SSO?

           

          Thanks.

          • 2. Re: SSO Inconsistent - EEPC 6.1

            Hi Ged,

             

            When I'm left at the Windows login screen, there are two icons (default Windows ones) -- one is "Other", and it just an empty blue box, which I need to click on in order to enter a username/password into the text boxes, and the other is something like "Smart Card", which we don't use, and has the default Win 7 smart card logo.  There are no users with shields.  I'm not sure what you're asking in number 2, but if you're asking if the last login user is listed on that screen, no.

             

            My personal machine has always been in an undocked but on the network state.  Other test machines, that are failing in the same ratio, are both docked and undocked, but have always been on the network.

             

            I'm not sure what test scenario you're suggesting in #4 - should I sync, then disconnect from all networks and test SSO a few times?


            Thanks,

            Chris    

            • 3. Re: SSO Inconsistent - EEPC 6.1

              Hi Chris,

               

              Given the policy you have enabled (require EE logon and SSO), the combination of the absence of a Credential Tile labelled "Switch McAfee EE User" and absence of the McAfee shield overlay on the Credential Tiles you do see indicates that the EEPC Credential Provider isn't active at this logon.  In question 3 above, I was really asking 'does the SSO fail only at the first logon after turning the machine on, or can it also fail when you logoff / re-logon or lock / unlock Windows?".

               

              Do you know if you have any other 3rd party Credential Providers installed?

               

              Thanks.

              • 4. Re: SSO Inconsistent - EEPC 6.1

                Thanks Ged, there are no 3rd party credential providers installed - the build is Vanilla Windows 7, with SP1 applied, and Office 2010 installed.  There are some other insignificant changes such as backgrounds, etc. that shouldn't make a difference.  SSO never works on the first login, but I'm told that's by design.  After that, there's no consistency in when it works or doesn't (any obvious one anyway), I reboot and it works, then I reboot again and it doesn't the next few times, and then I reboot and it works again.

                • 5. Re: SSO Inconsistent - EEPC 6.1

                  With the policy you've got, once you have logged onto Windows (it doesn't matter if the SSO worked or you had to do this yourself), if you then logoff or lock Windows, you should get prompted to do an Endpoint Encryption logon.  With that complete, you should then be SSO'd into Windows.  Does this work for you or do you get intermittent success / failure with this 're-logon' SSO behaviour?

                   

                  Thanks.

                  • 6. Re: SSO Inconsistent - EEPC 6.1

                    BTW are you using 32 or 64 bit Windows 7?

                    • 7. Re: SSO Inconsistent - EEPC 6.1

                      Some more info about my last post. Here are the credential providers installed.  Also on our image is PowerBroker from BeyondTrust, which isn't a credential provider, it's used to elevate applications rights by policy.

                       

                      MfeEpeCredentialProvider
                      GenericFilter

                       

                      GenericProvider
                      MfeEpeCredentialProvider
                      NPProvider
                      VaultCredProvider
                      PasswordProvider
                      Smartcard Credential Provider
                      Smartcard Pin Provider
                      WinBio Credential Provider

                      • 8. Re: SSO Inconsistent - EEPC 6.1

                        When I lock my machine, I get the McAfee lock screen and the "Unlock SSO" works 100% of the time.

                        • 9. Re: SSO Inconsistent - EEPC 6.1

                          We're 100% 32-bit.   

                          1 2 3 Previous Next