Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 7960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syncronize over VPN

aaronford

Hopefully this is an easy one...

When my end users are working over a VPN, the credentials aren't syncronizing.  Whether the user signs thru sophos using their account and old password, or an admin account/POA, then forcing syncronization, upon reboot, sophos still isn't accepting the new AD password.

My current workaround, is haivng them come into an office, and syncronizing.  However, it seems this should work when they are connected via the VPN.

Any help would be greatly appreciated.

:42185


This thread was automatically locked due to age.
  • 0

    Hallo,

    your statement "sophos still isn't accepting the new AD password" lets me believe that you change the AD password e.g. in the domain or with the Windows Credential Provider (or in an alternative Windows application like Outlook). This is not possible. All password changes have to happen on the client using the SafeGuard Enterprise Credential Provider.

    This is because to change the password in the POA, SGN needs to have both, the old and the new password in memory. The old one is needed to de-crypt the certificate in the POA, the new one to re-encrypt the certificate again. Only then will the new password be the correct one in the POA after the next reboot.

    More information can be found here: http://www.sophos.com/en-us/support/knowledgebase/117256.aspx

    :42542
  • 0

    Thanks for the reply textor.

    Normally, when sophos detects that a password has been changed, it will ask for the old password, and then sync up.  When working over our VPN, it just never asks.  You can only sign in with an old password, which then signs into windows with the old/cached password. 

    Once logged into windows, the user can connect to the VPN, sync sophos, restart, and then sophos still only accepts the old sophos password.

    The only way I see to initiate a password change from the client side, is to click 'options' and check the box to change password on next login.  Is this the only way to change passwords when connecting via VPN?

    :42562
  • 0

    Hello aaronford,

    I'm not sure I understand all the details. Are the users changing their password because it has expired? At which point in the mentioned scenario (signs into windows with the old/cached password ... once logged into windows, the user can connect to the VPN, sync sophos) do they change the password and how?

    From what I understand I assume the difference is that when on the LAN the change takes place (or is detected) when SGE attempts the automatic logon and therefore is aware of the change. Furthermore signs into windows with the old/cached password suggests that the client computer is not yet aware of the (need for a) change - not surprisingly as there is no connection to AD without VPN. Unless the password is changed with the SGE Credential Provider the POA will still require the old password after a restart, and then sophos still only accepts the old sophos password - what happens if SGE tries to log them on to Windows? I'd expect that it will detect the password change (after the user authenticates to Windows it prompts once more for the old password) and after this it'd have to sync (needing the VPN connection) for the change to become effective.

    Christian 

    :42590
Unfiltered HTML