Safeguard Fingerprint logon - Lenovo laptop(s)

---

Johannes wrote:

Hi,

i have the same problem.

Before I updated to the SGN 5.50, the FP was running under Windows and in the POA on several computers (e.g. Lenovo T60, T61p, W500, X301, ...). But with the newer version, I don't get it running for an authentification with the FP in the POA (Windows Authentification with FP works great). I installed Windows XP or Windows 7 with all drivers and programs (also with the FP Software and driver; for Authentec 3.3.0.58 and for UPEK 5.9.2.5859), only then I installed SGN 5.50 and encrypt all HDD devices.

But now (after the initial user alignment) I configured the FP. However it works only in Windows (the authentication with FP is allowed in SGN MC and the Pre-Desktopautehtification is activated in the BIOS).I tested it on several devices, but no one is accurate running? With the SGN 5.40 the installation wasn't easy, but it run.

What am I doing wrong?

Best Regards,

Johannes

---

I found that, after upgrading to 5.5, I had the same problem on the Lenovo R400 and T410 laptops.  I was able to fix it by hitting Shift+F5 (NOT Shift+F7 as mentioned in KB Article 63147) at the Sophos Copyright Screen (if you do it right, you should see a message that the "Alternate USB" has been activated.  The fingerprint enabled POA showed right up at that point.  Once you get past the POA, it will prompt you to save the settings changes - make sure you do so unless you want your users to have to press Shift+F5 everytime they boot!

BTW, I was able to get the fingerprint reader working without regard to install order - one of the laptops has the fingerprint software installed AFTER Safeguard, one had the fingerprint software installed BEFORE safeguard went down.

FYI - KB Article 107781 says that the "Alternative USB kernel" (the option the Shift+F5 controls) is ENABLED by default, but that appears to have changed in 5.5, as all of the machines I've installed 5.5 on have the "Alternative USB kernel" DISABLED

Hi Visitant,

i has tested it for one week ago, by hitting SHIFT+F5, but it doesn't work on all Lenovo devices.

Here i can read in my FP datas, but i get the message that  "no FP datas are available".

I has problems with Lenovo T61p (UPEK), Lenovo X200T (AuthenTec) and Lenovo T410s (AuthenTec).

Other models in our enterprise are not testet. Current it  runns great on Lenovo R500.

BR,

Johannes

Hi all,

Hopefully this will provide a bit more clarity...

SGN 5.50.1 (which is scheduled for mid August) is supposed to provide support for the following Lenovo fingerprint software versions:

1)      UPEK: 5.8.5.6014

2)      Authentec: 3.3.2.27

The latest version of the UPEK chip fingerprint software from Lenovo is 5.9.x. However if you look at the download link on the Lenovo website for the 5.9.x software, there is an advisory stating that users of SGN 5.50 and Windows 7 should use version 5.8.5.6014 which is a Vista package. I've tested this package with Windows 7 and whilst it doesn't cause any harm to the system, and fingerprint works okay, it's still not supported from Sophos and fingerprint POA doesn't work.

Thus the reason I'm waiting for SGN 5.50.1.

As a side note I also requested that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed.

I understand that no-one forgets their fingerprint but until Sophos can guarantee 100% that fingerprint will work and that it wont fall back to password authentication then there is a clear need for LSH with fingerprint authentication. Not a well thought out design if you ask me ;)

I've been advised that Local Self Help will work with fingerprint enabled policies in the next major release of SGN. Let's wait and see eh.

How many days until Mid August? ;)

Hi,

I just spent 2 days trying to make fingerprint logon in POA work, and no success. It works fine for Windows login, but I am not getting the fingerprint logon screen in POA despite having Fingerprint enabled as logon mode through policy. My setup:

Notebook Lenovo R500

Lenovo Fingerprint software 3.3.2.27 (can't go to a lower version because that one does not work with the reader on Win7)

reader AuthenTec AES2810 (driver 8.6.0.13)

SafeGuard Enterprise 5.50.0

Logon mode in the policy User ID/Password; Fingerprint

Windows 7 (32)

Fingerprints enrolled, login to Windows using fingerprints works, it just does not work in POA. Is this really a bug in SafeGuard, or am I doing something wrong? Can anyone advise, please, why this is not working - why the fingerprint logon screen does not show up in POA?

Thanks.

PS: Yes, I really agree with "As a side note I also requested that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed."

LSH should be available. With so many different PC configurations, fingerprints are pain, they more often fail than work.

Acording to this list: http://www.sophos.com/support/knowledgebase/article/108789.html the reader/laptop is supported so should work. At POA, no windows drivers are used so the problem must be related to something else unless the fingerprint DB that the lenovo software uses is not compatible with SGN 5.50.

Matt

Hi, is it any help if I mention that the fingerprint functionality, the POA dialog for logging on with a fingerprint, is not even available at the POA screen? The problem is not that the fingerprint itself would not be working at POA, it is that the user does not even get to see the fingerprint picture at the POA, the POA screen shows the default username and password input boxes only.

(Just to refresh - Logon mode is set to "User ID/Password; Fingerprint" in the Authentication policy. The policy does get propagated - when I check RSOP at the Management Center, I can see "User ID/Password; Fingerprint" applied.) Are there any logs anywhere to check for troubleshooting? What else should I check?

Anyone, please?

We have found that having ANY other USB device plugged in causes the fingerprint reader to not work during POA. I will also agree that Local self help and the fingerprint reader need to be able to work together.

Hi there,

as already mentioned above SGN 5.50.1 will contain full fingerprint support for log on again.

The version will be released soon and I kindly ask everyone to test this version.

When doing so please check the release notes and the documentation thoroughly before you start with regards to the supported fingerprint readers and the middleware versions! This is vital to get things working.

Should you still encounter some issues please open a new support case.

Regards

Dan

Unfortunately since 5.50.1 this has not worked. (Neither the Windows or POA authentication display the fingerprint authentication selection).

Obviously the POA will not work until the Windows Authentication fingerprint is working. I have a sneaky feeling it's something to do with the CredentialProvder, so I'm going to look into this a little further and keep this post updated.

I'm praying that it's not because of an unsupported UPEK Chipset model/version in the W510. If it is I'm hoping Sophos can work with me on this seeing as we have a job lot of these laptops and need to have fingerprint working to meet certain security requirements.

I've opened up the following case with Sophos support:  #2461077.

The in the meantime here's my spec and some advisory's from both Sophos and Lenovo re supported versions...

Client details:
Client: Windows 7 Enterprise x64
BIOS Version/Date: LENOVO 6NET64WW (1.27 ), 14/07/2010    
SafeGuard version: 5.50.1.117
Laptop: Lenovo W510 (TYPE 4319-24G)
Biometric: UPEK. TouchChip Fingerprint Coprocessor
Biometric Driver version: 1.9.2.155 (tcusb.sys)
Lenovo Fingerprint software installer: fprx64_585_6014ww
Lenovo Fingerprint software version: 5.8.5.6014

Fingerprint device details:

Device name: TouchChip Fingerprint Coprocessor
Device Version: 5.0.4133
Firmware variant: 2000000d
Usage: 80000002
Sensor Type: e4000043
Available Memory: 21590
System ID: 1001b
SN: 8e9effc6b48ec36f281ec1a325321787
OS Version: Microsoft  (build 7600)
 
Install order:
1. Cleared fingerprint data and reset security chip in BIOS
2. Installed OS and drivers
3. Installed Lenovo fingerprint software
4. Enrolled fingerprints
5. Tested successfully
6. Installed SafeGuard Enterprise
7. Rebooted
8. Installed SafeGuard config
9. Rebooted

Extract from SGN 5.50.1 User Guide:

5.1.2 System requirements
Windows XP, 32 bit
Windows Vista, 32 bit, 64 bit
Windows 7, 32 bit, 64 bit

5.1.3 Supported hardware
AuthenTec AES2810
UPEK TCS3C/TCD42A

5.1.4 Supported software
Lenovo Fingerprint for AuthenTec Version 3.2.0.166
ThinkVantage Fingerprint for UPEK Version 5.8.5.6014

SafeGuard Enterprise supported versions of ThinkVantage Fingerprint Software: http://www.sophos.com/support/knowledgebase/article/111626.html

Lenovo SGN support advisory: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-68490

Regards,

John