1 2 Previous Next 16 Replies Latest reply on Apr 3, 2014 10:25 AM by SafeBoot

    EEPC 7.0.2 SSO not working correctly

    maciekl123

      Hi there.

       

      Corect me if i'm wrong.

       

      I have EEPC 7.0.2 with SSO enabled with ePO5.0.1

      I try to set this finctionality but, have some issues here.

       

      1.) When i set SSO and type credentials for EEPC pre-BOOT then windows ask me for credentials. I type the same and it go work OK.

      2.) When i change password via EEPC pre -boot screen this password is not updated to SSO, so it is really uncomfortable, because, when the user lock his station he need to input other password for unlock the OS.

      3.) I try to check what happens when the user will be offline, and there will be must for password change. I change the password in EEPC pre-boot screen and logon to windows normally but, the password in windows is still other than EEPC.

      4.) try to do recovery password in EEPC, but then i get windows credential screen after system start.

       

      Is that normal??

      What happens when windows credentials will be to old to use (security requirement need to change password in the cycle)

       

      Pls answer

       

      RGDS

        • 1. Re: EEPC 7.0.2 SSO not working correctly
          andrealves

          Hello. It seems like there has been a little confusion here: it's EEPC that gets the domain user password, not the other way around. Password sync is meant to have the user to imput the same password that it uses to log on to the domain on the PBE, and log on directly to the domain without having to enter the password again.

          • 2. Re: EEPC 7.0.2 SSO not working correctly
            maciekl123

            THX for answer, but have some question.

             

            Is SSO is one-way sync?? I check the case with windows user password change via A+C+D. After PBA password sync in the pre-boot screen i use the domain password -> it is correct.

            I need to check EEPC password change, and find that ther is now way to sync with AD.

            As i remember EEPCv5 had an option to set EEPC password to windows password, isn't it??

            What happen when the AD force the password change??? What happend if the user will be onffline and forgot the password??

             

            It should be two-way direction sync, isn't it??

             

            Regards

            • 3. Re: EEPC 7.0.2 SSO not working correctly
              andrealves

              Hey, it turns out that you have a problem simmilar to mine. This is how it goes: if the user changes the PBE password through self recovery, this password won't be synchronized to the domain password unless the domain password is changed. So, if users forget Windows password and PBE password is sync'd they will have to perform the recovery procedure to gain access to Windows back and then contact help desk to reset the domain password. Only after that the PBE password will be synchronized to the domain password again.

              • 4. Re: EEPC 7.0.2 SSO not working correctly

                not sure what is a question, and what's a statement, but I'll try to answer.

                 

                Is SSO is one-way sync??

                 

                yes - Windows to EEPC only.

                 

                I check the case with windows user password change via A+C+D. After PBA password sync in the pre-boot screen i use the domain password -> it is correct.

                 

                You need to enter whatever you need to login to Windows.

                 

                I need to check EEPC password change, and find that ther is now way to sync with AD.

                 

                EEPC never syncs its password to Windows.

                 

                As i remember EEPCv5 had an option to set EEPC password to windows password, isn't it??

                 

                yes.

                 

                What happen when the AD force the password change???

                 

                EEPC will change the EEPC password to match IF the new password conforms to the password rules.

                 

                What happend if the user will be onffline and forgot the password??

                 

                For EEPC do a password reset, for Windows do whatever you do now.

                 

                It should be two-way direction sync, isn't it??

                 

                No, it never has been.

                • 5. Re: EEPC 7.0.2 SSO not working correctly
                  pandarazzi

                  Hi all.

                   

                  I have the similar environment of epo5.0.1 and eepc7.0.2 and also unable to sync the PBE password with AD.

                   

                       1. I have enabled SSO under Endpoint Encryption 7.0.2 > Product Settings > Policy > Log On as shown below.


                                      
                                               
                                               
                                                
                      

                       2. Wake up agent to push down the policy.

                   

                  In the PBE, the password used to log-in differ from those in AD. Have I missed out any steps?

                   

                  Regards.

                   

                  • 6. Re: EEPC 7.0.2 SSO not working correctly

                    What did you do on the agent to trigger a password sync?

                    • 7. Re: EEPC 7.0.2 SSO not working correctly
                      pandarazzi

                      Hi Safeboot,

                       

                      Thank you for the response.

                       

                      1. I did an agent wake up on the relevant client.
                      2. Verify the policy was updated through Mcafee agent's gui.

                       

                      Regards.

                      • 8. Re: EEPC 7.0.2 SSO not working correctly

                        Neither of those will cause a password sync. You need to do a password change within windows, or have a failed sso session.

                        • 9. Re: EEPC 7.0.2 SSO not working correctly
                          rth67

                          What if you are using a third party tool to change the AD password? Will it still force EE to sync the new AD password with EEPC, in our case it does not seem to do that, the 3rd party tool uses a service account to reset / sync passwords for multiple applications.

                           

                          Maybe we need to script the WebAPI  change password function in to the tool.

                          1 2 Previous Next