I have a few questions about the Windows SSO, I'll try to explain as best I can.
I'm testing the functionality of Windows SSO as our environment is a little different from what I would call "standard".
During our testing, one scenario we've come across is changing the preboot password during PBA. From what we've seen, when we manually change the preboot password, the Windows password is never synced back to the preboot environment. I've given the client several hours (mixed with reboots) to get these changes sorted out as I know there are some timing variables when it comes to syncing passwords. Is this expected behavior?
I changed the preboot password yesterday afternoon, gave it a few hours, rebooted, SSO successfully logs me in with the correct preboot password even though the passwords are out of sync. This morning is the same, I can sso into windows using the preboot password, even though it's not the windows password. If I Ctrl+Alt+Del and manually change the Windows password, the change is instant to the preboot environment.
We've tried backend password changes which eventually get sorted out.
I would think that even when the preboot password is changed manually, the windows password would eventually be synced back to the preboot environment. As it stands right now, I'm essentially putting in an invalid Windows password to authenticate (preboot), and I'm passed to Windows without having to enter in the CORRECT windows password. Can someone please explain this?
I know I jumped around a bit, please let me know if clarification is needed.
What you are seeing is exactly what you should expect. The windows password is synced into eepc in two conditions.
1. After a ctrl-alt-del password change event
2. After a failed sso attempt
Just logging on wont initiate a sync - it has to be one of the two conditions above.
As long as that is what's expected, we can work with that. Here's another question for you...
I've changed the policies for my test system to turn off SSO so we just use 2 passwords, one for PBA and another for Windows. The problem is, even though the client has processed the new policy, it still SSO's me into Windows. How do I correct this? I would assume that this is a supported configuration?
on 3/28/13 10:14:27 AM CDT
Odd indeed. You are right - it should not attempt sso even.
What version of eepc are you using?
Well it seems to have cleared itself up.
I rebooted, it SSO'd me to Windows. Forced the agent communication with the epo server and manually ran the EE user sync task. Rebooted, tried to SSO into Windows but failed. After logging in to Windows, forced the agent communication again, reboot, and now I have 2 separate logins. I guess it's a timing thing as well when disabling SSO. I'll start a new thread if we come across any other issues. Thanks safeboot!