The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The user is either prompted to enter their old password when they change their password, and/or they cannot log in to the computer using their new password.
Applies to the following Sophos products and versions SafeGuard Device EncryptionSafeGuard Management Center / Local Policy EditorSafeGuard Easy
SafeGuard Enterprise (SGN) creates a certificate and a .p12 for every user that is a "SafeGuard Enterprise POA user". Initially, certificates are created at the SGN backend i.e SafeGuard is installed on a client machine and it synchronises with the backend and starts the initial UMA process (where the user requests a certificate from the SGN server) with POA not being active.
Once the process has been completed and the POA becomes active, the user can authenticate at POA with their Windows password.
If a user wants to change their password, the correct way of doing this is:
POA | Options | Check 'Change password at next logon' or Ctr+Alt+Del | Change A Password... in Windows on their SafeGuard protected machine. If the user is already an SGN User with an existing user certificate, the user certificate (.p12) will be re-encrypted with the new user password once changed on the client machine.
If a password change is done when the SGN server is not available, the client prepares packages which will be sent to the server on next contact to update the users certificates in the SafeGuard database. Although the certificate is not yet uploaded, the user should be able to authenticate at POA using their new password because the certificate already existed on the client and was “only” re-encrypted with the new password.
There are various reasons why a user is prompted to enter their old password and/or cannot log into the computer using their new password. The old password prompt should only appear if the password is out of synchronisation. Provided a user is able to enter their old password once, the prompt should go away on subsequent boot-ups if they are added to the computer as SGN users and have a valid certificate stored in the Management Centre.
Below are some of the scenarios where an old password prompt may occur and/or a user is not able to log in via their new password. These occur on managed computers:
If a password has been changed in AD, this will not have an effect on the client computer(s) which the user logs in to, until the computer is synchronised with the Management Centre.
Quite often passwords are changed directly in Active Directory, not locally on the SGN client computer. As a result the SGN Client keeps asking for an old password when the user is trying to log in to his/her Windows profile. If the user knows their old password, they can enter this and log into the computer, synchronise with the Management Centre and the password information on the computer is updated.
If the user does not remember their old password then please follow the instructions in KB article 112239: SafeGuard Enterprise: User is asked to provide their 'old password' during logon to Windows
Changing the password locally on a computer and synchronising with the Management Centre will update the password (that is required at POA) on the local computer, but it will not be updated on all the other clients until they have synchronized with the SafeGuard Enterprise Server.
To resolve this issue, the user can log on to the computer using their old password and synchronise with AD. Please refer to KB article 109038:SafeGuard Enterprise: Password handling when a user is using more than one computer Alternatively, perform a Challenge Response and enter in the new password at Windows login, as described in the following documentation:
Changing the Windows password on a non-SGN client computer will not change the password associated to the user on an SGN computer. This is because the computer does not synchronise with the Management Centre to update the user information and generate a new p12 certificate.
The resolution for this is the same as Scenario 2.
The user is not an SGN user or SGN owner on the computer. When they change their password, it does not synchronise with the Management Centre. Hence, password change will only be actioned on the same computer. When the user logs in to another computer where they are an SGN user/ owner, they will be prompted for their old password.
This is similar to Scenario 3, a Challenge Response will be required.
Flowcharts are provided in the 'Recovery in SGN' pdf guide. Click on a chart to enlarge it.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.