Title: Password Sync not working / offline users unable to authenticate at preboot
Summary:
Password Synchronization would fail on certain client devices where Profile configuration specified Key Files would be created for AD Users only and SDConnex settings defined that User ID was to be assigned only if User exists in the Database.
Product version affected:
SecureDoc 8.5 SR1
Environment:
Windows Client
Issue Details:
This issue impacted customers configured as follows: The Device Profile specifies that keyfiles are to be created for AD users only. Also, the SDConnex has the option set to only allow user ID to be assigned if the User already exists in the database. The result of these settings are that the Client device should not be able to request the creation of any User ID not already found in the Database, and only AD accounts should be created (aside from certain "local" safe/recovery accounts which were designated as to be added to all devices as a part of the installation Users settings.
WinMagic's testing of devices configured in the same way showed that password sync would works for some users, but not for all. For users for whom Password Sync did not work, use of Challenge/Response against a safe/recovery account would get the user into the system, but in certain cases once the user was in Windows, password synchronization was still not working and if the device were rebooted, device users would be obliged to again use the safe/recovery account to perform Challenge/Response again. On certain machines, the same user account was found twice in the Boot Slots (usually as a low slot number, then again usually with the highest boot slot (typically 40).
Cause:
Incorrect/missing logic for handling dynamic offline /online conditions. Incorrect handling of boot keyfiles in WinPin. Limited logic related to PwSync status synchronization between SDService and WinPin sometimes failed in complex environments like concurrent service user password changes.
Symptoms of the issue:
1. error 0x81000001 when trying to add the keyfile to Boot1
2. Duplicated users in Boot Control Menu (BOOT1 & BOOT40)
3. User shows assigned to device in SESWeb, not cached to device
4. User not cached if device boot slots are already full - user will be shown as assigned in SES but will not cache
5. User password not syncing due to 4 above
6. Offline users who connect to VPN do not get cached or password sync. SD Client would not try to connect to get the credentials.
Solution:
This issue has been corrected in this Hotfix. All limitations were identified and corrected. The system will handle dynamic conditions, and any issue of interference with attempts of Password Synchronization tasks for safe/recovery user accounts has also been removed. Where necessary, WinPin will trigger a Manual Password Synchronization.
HotFix version: 8.5 SR1 HF1