Loading...

Knowledge Center


Single Sign On fails on systems that have third-party credential providers installed
Technical Articles ID:   KB73040
Last Modified:  6/7/2017
Rated:


Environment

McAfee Drive Encryption (DE) 7.2.x, 7.1.x

Microsoft Windows 10
Microsoft Windows 8
Microsoft Windows 7

Third-party Windows credential providers:
  • IBM Desktop Password Reset Assistant
  • Imprivata OneSign
  • Sentillion expreSSO

Problem

On systems that have Imprivata OneSign installed, after you successfully deploy DE/EEPC in an environment that uses Imprivata OneSign, Single Sign On (SSO) fails with the following error during preboot authentication when you attempt to authenticate with the current Active Directory password:

Error EE0F0001 – Token authentication parameters are incorrect

If you use the previous password, SSO still fails and user passwords are not synchronized.

You can log on only when you use the previous domain password at preboot and the new domain password for the Windows logon prompt.

Windows Task Manager lists the ssomanhost.exe process.

Problem

On systems that have the Sentillion expreSSO Credential Provider installed and DE/EEPC, Sentillion expreSSO is prevented from loading on Windows systems.

Sentillion expreSSO is used for signing on to applications with SSO. The user logs on with their Active Directory logon, and then stores passwords for the individual application. 

DE/EEPC is unable to chain the Credential Provider in Windows, which prevents the Sentillion from loading.

Problem

Systems with IBM Desktop Password Reset Assistant software installed show the following credential provider reference is installed:
 
ItimCRCredentialProvider.
 
With this software installed, duplicate user IDs are displayed at the Windows logon screen.

Problem

On systems with another third-party credential provider installed, users may experience:
  •  Slow logon times
  •  SSO failures

Cause

DE/EEPC does not currently support any third-party Windows credential provider integrations. These third-party credential providers are conflicting with the DE/EEPC credential provider because, on Windows systems, it is not possible to chain the DE/EEPC credential provider.

One of the following DE/EEPC credential provider keys (MfeEpeCredentoalProvider) is not listed in the registry under:
 
32-bit and 64-bit systems:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\
 
The DE/EEPC Encryption Provider key is not in place for one of the following reasons:
  • It was removed post installation.
  • The Registry was rolled back.
  • It was blocked during installation.
NOTE: When the DE/EEPC credential provider key is in place, there is no ability to interact at the login screen.

New functionality to support third-party credential providers needs to be developed and integrated into the DE/EEPC software. Follow the product ideas procedure to request this functionality.

If you require a change to product functionality, submit a new product idea at:

https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas

The Ideas forum is accessible only to McAfee business and enterprise customers. To access the Ideas forum, click Sign In and enter either your McAfee ServicePortal (https://support.mcafee.com) or McAfee Community User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

Solution

Due to changes made in DE 7.2.x, a Software Developer Kit (SDK) is now available.

This SDK will allow developers of third-party applications that use their own credential provider to leverage their product to work with DE and to address issues similar to the one described in this article with DE 7.2.0 and later releases.

To obtain the developer kit, the developer of the third-party application will need to apply using the following link before access can be given.

https://www.mcafee.com/uk/partners/security-innovation-alliance/index.aspx

The following will occur when the SSO vendor has applied for the SDK:

  • A representative from the Security Innovation Alliance (SIA) will reach out to the third-party vendor to complete contractual/legal paperwork required to acquire the SDK.
  • When the paperwork has been completed, a representative from SIA will reach out to engineering to distribute the SDK to the third party.

Solution

Remove or disable the third-party credential provider:

Method 1 - Remove
Remove the third-party credential provider to be able to use the DE/EEPC SSO option:
  1. Remove the third-party application from Add/Remove Programs.
  2. Restart your computer.
  3. Authenticate at preboot.
  4. Authenticate at the EEPC Windows Credential Provider login screen using your Active Directory account.
  5. In the Windows system tray, right-click on the McAfee icon and select McAfee Agent Status Monitor.
  6. Click Collect and send Props.
At the next computer restart, when you authenticate at preboot, SSO will function correctly.


Method 2 - Disable
Refer to the Microsoft TechNet article for how to disable additional credential providers using one of the following two methods:
  • Method 1 : Group Policy
  • Method 2 : Using Registry

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.