User is getting Reset Certificate Password dialog box.

Hi there,

thank you very much for bringing this one up. I'd like to mention that we highly recommend not to change the password in the AD but to use the SafeGuard Enterprise integrated possibilities to recover a user in case of forgotten passwords.

You can find detailed information on the required steps following this KBA: http://www.sophos.com/support/knowledgebase/article/110107.html

Regards
Dan

Hi RBC

We've seen this a number of times too, and it is giving us a headache.

What we tend to do is delete the certificate in the magagment console so the next time they log on a new one is generated.  The reason it may not be accepting their OLD password is beacuse it is someone else's certificate; check the machine onwership in the console and delete the user from there if necessary.  This may not be the best way to do it, but its the only way they seems to work for us....

Cheers

Dan

What if you don't use the POA feature of Safeguard?  We don't use this feature, so I'm guessing in that scenario we wouldn't use Safeguard for resetting the password as you've suggested.  Our only option is to use AD.  When users reset their password on a different device that is not encrypted with Safeguard and then come back to the device that is encrypted with safeguard, they will see this message.  Unfortunately, in most cases our users don't recall their "old" password.  Depending on the use of the device, it could be an "old" password from 9 months ago.  In these cases, our users just select Cancel and continue on - they have gotten use to seeing the error - which is ultimately leaving a bad feeling in their minds about the product.  I'd like to correct this for them, but how?  Please advise.  Thanks

We have run into a similar situation.

The laptop user is working remotely over a VPN connection.

Our laptop users are naturally prompted to change their password as per our Security policy.

When they try to change their password, they are no longer able to access the system since the Safeguard software does not seem to have accepted the change. 

Thus, we are forced to bring the laptop back into the office and go through the Safeguard recovery process.

I find this totally unacceptable since this would be a common situation for laptop users that work remotely.

Apparently, Sophos says this capability over remote connections is not supported with standard AD unless you use their specific password reset software which again is unacceptable if they wish to grow their user base.

We are now forced to send all our laptop users an email stating to not change thier passwords remotely until we can find a replacement product for Safeguard.

I hope Safeguard finds a solution to this issue quickly.  Thanks.

Zman could you provide us with some more information like OS version, SGN version, are you using the SGN credential provider or a different one. What happens when a user changes his password by prsssing CTRL-ALT-DEL and then clicking change password?

The reason I am asking this is that normally a SafeGuard Enterprise (SGN) client should recognize that a user is trying to change his password. There are some exceptions though where we cannot recognize this, for example:

- you are using Windows Vista/ Windows 7 and are not logged on to the system using the SGN Credential Provider;

- you change your password on a different system which does not have SGN installed;

- the password is reset within active directory.

When a user that is connected to his AD using VPN, is therefore changing his password, then this password is copied to the POA automatically and when the user logs on to the system the next time then he can use his new password. The certificate used by SGN is secured with the new password. When the SGN client can connect to the SGN Server at this time then the updated certificate (private key) is send to the SGN server so that the new password can be distributed all other PCs where the user was registered as well. Is no connection possible at this time then SGN will "upload" the data the next time it can reach the server.