Jump to content
Sign in to follow this  
Abissa

Adding domain users to encryption, SSO and options [Solved]

Recommended Posts

Dear all,

 

What is the best practice for adding domain users to an existing encrypted machine in KSC when we use SSO (scenario being several users accessing the same machine).

Right now when we setup the encryption on a machine the current Windows user is automatically added, this is fine. But what if some time later I need to add another user so he can access the same machine as well?

 

I know my way around the "Encryption (account management)" task edition but would like more information about "password-based authentication" options, more precisely if I should select the "change password upon first authentication" or "do not require password change" options. My concern in the end is to make sure that when users have to change their Active Directory password when it expires, the Kaspersky pre-boot password gets correctly updated, and this for all users of the machine, in the SSO context.

 

- If I select "Change password upon first authentication", I can type a dummy password in the console, and change it on the first login of the user on the machine so it matches the existing AD password.

- If I select "Do not require password change" I can directly type the current AD password of the user in the console.

 

Is there a difference between these 2 options about the behavior of the password updating later on? Will the pre-boot password get properly updated when the user changes his AD password in both cases?

 

Thank you for your help!

 

Best,

Nicolas

 

 

 

Share this post


Link to post
Dear all,

 

What is the best practice for adding domain users to an existing encrypted machine in KSC when we use SSO (scenario being several users accessing the same machine).

Right now when we setup the encryption on a machine the current Windows user is automatically added, this is fine. But what if some time later I need to add another user so he can access the same machine as well?

 

I know my way around the "Encryption (account management)" task edition but would like more information about "password-based authentication" options, more precisely if I should select the "change password upon first authentication" or "do not require password change" options. My concern in the end is to make sure that when users have to change their Active Directory password when it expires, the Kaspersky pre-boot password gets correctly updated, and this for all users of the machine, in the SSO context.

 

- If I select "Change password upon first authentication", I can type a dummy password in the console, and change it on the first login of the user on the machine so it matches the existing AD password.

- If I select "Do not require password change" I can directly type the current AD password of the user in the console.

 

Is there a difference between these 2 options about the behavior of the password updating later on? Will the pre-boot password get properly updated when the user changes his AD password in both cases?

 

Thank you for your help!

 

Best,

Nicolas

 

Hello.

 

For SSO to work correctly, the Pre-Boot Agent password and the Windows user password must be the same. If they are not, the Pre-Boot password is updated automatically upon Windows logon, regardless of the pre-existing Agent password. It is also updated if the user changes their password using Ctrl+Alt+Del menu.

However, if the password is changed using AD, the Pre-Boot Agent logon is not updated until the user logs in on the machine.

 

Thank you.

Share this post


Link to post
Hello.

 

For SSO to work correctly, the Pre-Boot Agent password and the Windows user password must be the same. If they are not, the Pre-Boot password is updated automatically upon Windows logon, regardless of the pre-existing Agent password. It is also updated if the user changes their password using Ctrl+Alt+Del menu.

However, if the password is changed using AD, the Pre-Boot Agent logon is not updated until the user logs in on the machine.

 

Thank you.

 

Perfect, so that means both option will work the same. Thanks for confirming. You can mark this as solved if needed.

 

Share this post


Link to post
Sign in to follow this  

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.