Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 12725 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I'm getting pop-up from User Account Control when installing Single-Sign-On agent

Biser Todorov

I am following this article How to Implement Single Sign On Authentication with Active Directory and on step 8. you have an instruction how to automate this installation and use Logon script.  Everything works fine except the pop-up message I have from UAC saying that the SSSophosSetup.exe is from untrusted location.

Very annoying. Is there a way to fix this without disabling UAC?



This thread was automatically locked due to age.
  • 0

    Spending some time for debugging I found that the default option for User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode in Local Security Policy -> Local Policy -> Security Options is Prompt for consent for non-Windows binaries and this is the mine reason of having this pop-ups. 

    If I change this security setting to Elevate without prompting everything is working. This is not the best solution, but a workaround. 

    I am still looking for a proper one.

  • 0

    I am also enconter this issue.

    There two part of it, first you should use "%LogonServer%" instead of "\\domain.local" because the second one is not a trusted location.

    The next problem is the certificate used to sign SSSophosSetup.exe is already expired. Which means the only thing you can do is have sophos know and fix it.

    -----edit-----

    it's not the cause, see below reply

  • 0 in reply to daiqingxu

    Thanks for the suggestion, indeed I saw that the certificate is expired too.

     

    @Sophos could you please renew/regenerate this certificate and provide us with a valid one?

  • 0

    Hi Biser,

    Disabling UAC is mandatory for the installation of the logon-script. Did you try to create a group policy for software installation rights or run the installation as an Administrator?

    For the certificate issue, please contact Support and provide me the case#.

    Thanks

  • 0 in reply to sachingurung

    Disabling UAC is not a solution, not acceptable and against our internal security policies. I have admin rights on the local workstation - this doesn't help. The same if I run the script as Administrator, this warning is displayed again.

     

    Case# 21496908 for the certificate.

  • 0 in reply to Biser Todorov

    Hi Biser,

    This is a known behaviour and if the UAC is kept enabled then windows security won't let the logon-script to install. Support cannot do anything on it.

    Thanks

  • 0 in reply to daiqingxu

    daiqingxu said:

    The next problem is the certificate used to sign SSSophosSetup.exe is already expired. Which means the only thing you can do is have sophos know and fix it.

     

    daiqingzu is saying that the certificate is expired, is it true?Daiqingxu did you open a ticket with the support?

    Thanks

  • 0

    I have finally got the thing working.

    The certificate is not the issue, it's SophosRun.exe tring to install the client using credential stored in Admin.ini.

    I move the install part of the logon script to startup script and now it's working.

     

    Set following startup script for the workstations

    Set WshShell = WScript.CreateObject("WScript.Shell")
    WshShell.Run "\\domain.local\netlogon\Sophos\SSSophosSetup.exe /VERYSILENT"

    and remove lines before

    ECHO Configuring...

    in the logon script.

     

    It looks i can even get rid of the scripts entirely using some custom msi package.