Endpoint Encryption

 View Only
  • 1.  Help with Password Sync using Symantec Endpoint Encryption SSO

    Posted Jan 08, 2014 12:27 PM

    Hello,

    I'm hoping someone can provide some insight on some issues we are seeing with SEE. We are currently using 8.2.1 MP2. I am running into SSO problems with password syncs in two scenarios for users in remote offices.  From what I can tell, SEE only synchs that password if the user changes it using Ctrl-Alt- Del or at login if the user is connected to the network. We have many remote users who only connect to the network using a Cisco VPN client that does not have the abilty to connect before login. When they login to the computer they are not connected to the network, they login to the PC using cached credentials.   Many times the user will fail to notice the password has expired and will have to call to have the password reset in Active Direcory User and Computers. Once the admin resets the password the password is not synched with SEE. The only workaround I have found is to connect to the users PC and login to SEE as an administator unregister the account and then have the user register again. We can also have the user change the password, but due to security polices, they have to wait 48 hours to do this. 

    In the second scenario, the user will have multiple computers and will change it on the first computer by pressing control alt delete. They connect to the VPN on the second computer and lock the computer, then unlock to update the AD credentials but the SEE password doesn't synch. This forces and admin to connect and unregister the account so they can register again.

    Is this documentated behavior or does anyone know of a way to force the passwords to synch? It's not ideal but I could also get by with a script that would unregister the account.

     

    Thanks!



  • 2.  RE: Help with Password Sync using Symantec Endpoint Encryption SSO

    Posted Jan 08, 2014 01:27 PM

    Have a similar scenario here as well.  Is there is a programmatic way to unregister an account or preferably force a re-sync btw SEE and AD?

    Thanks



  • 3.  RE: Help with Password Sync using Symantec Endpoint Encryption SSO

    Posted Mar 10, 2014 03:09 PM

    Running SEE 8.2.1 MP8--have had a ticket with Symantec over the failure of SEE SSO to sync up changes to Windows's passwords on our Win7 aand  our dwindling XP sysems when connected to the domain using a VPN connection.   Workaround is to have the user bring the systems into the office where a direct LAN connection recognizes the changed password or have the user remember the older password for getting past the SEE preboot screen.  Symantec's response to date is that it's an  issue with the VPN software though there's no direct evidence of that being the case.  Like most Symantec issues, the behavior is not universal.



  • 4.  RE: Help with Password Sync using Symantec Endpoint Encryption SSO

    Posted Mar 10, 2014 03:53 PM

    We have also used that workaround Geoffrey but many of our users never come into the office. I also found another fix for this scenario since I posted this. Here are the steps I have taken.

    1. User changes password thourgh Outlook Web App or admin changes password. As a result, user's cached Windows/SEE password are no longer current.
    2. Instruct user to connect to VPN and enter new password.
    3. Press CTRL-Alt-Del and lock computer and then unlock with new password
    4. Instruct user to logoff Windows
    5. Have user log back in with updated password. As soon as possible have user connect to VPN.
       

    I have found that if the user connects to the VPN pretty much immediately after logging into Windows with the updated password, they will get the SEE synchronization message. I'm not sure why this occurs but I am guessing that if the VPN is connected before SEE finishes its startup the synchonization will occur.