Loading...

Knowledge Center


Single Sign On on a Windows 8 client with a smart card reader displays only a smart card logon and not a password logon
Technical Articles ID:   KB85612
Last Modified:  11/7/2017

Environment

McAfee Drive Encryption (DE) 7.1.x
McAfee Endpoint Encryption for PC (EEPC) 7.0.x

Microsoft Windows 8

Problem

After a successful DE/EEPC preboot authentication, the enabled Single Sign On (SSO) option fails to auto authenticate the user and the user is unexpectedly presented with a Windows smartcard credential provider.

This issue is only seen on Windows clients that have:
  • DE7.1.x or EEPC 7.0.x installed
  • SSO is enabled
  • Prior to installing DE/EEPC and enabling SSO, a smart card reader was installed on the client.
At the Windows Welcome screen, the user is prompted to insert a smart card.

Cause

This not a DE/EEPC issue. In Windows 8, the credential provider now uses the last logged on provider and user in the registry to select the default credential if nothing else specifies a default. In normal circumstances this is the password credential provider, however when DE/EEPC is installed, the order of the credential providers may change, and the smart card provider may be the most recently listed credential provider.

Solution

If the smart card reader is not required at log on, modify the DE/EEPC EpePcCp.ini file to exclude the smart card provider from being displayed.
 
Add the following entries to the EpePcCp.ini if they do not already exist and set them to Disable and NoWrap.

[CredentialProvider.Filter.Providers]
{8FD7E19C-3BF7-489B-A72C-846AB3678C96}=Disable
{8bf9a910-a8ff-457f-999f-a5ca10b4a885}=Disable


[CredentialProvider.Providers]
{8bf9a910-a8ff-457f-999f-a5ca10b4a885}=NoWrap
{8FD7E19C-3BF7-489B-A72C-846AB3678C96}=NoWrap


Example of a default EpePcCp.ini:

"[CredentialProvider.Filter]
;
; By default (if this option is not specified or is specified with any string
; other than Enable), the EEPC CP Filter will filter out all CPs other than
; the EEPC one.  Filtering out a CP means that Windows will not display it's credential
; tiles at logon / unlock. The filtering of CPs can be controlled individually
; by specifying them by GUID in the [CredentialProvider.Filter.Providers] section
;
;DefaultAction={Disable|Enable}
;
[CredentialProvider.Filter.Providers]
;
; Specify if an individual CP (idenitified by it's GUID) should not be filtered (i.e.
; allowed to display it's credential tiles) or filtered (not allowed to display
; it's credential tiles).
;
; Registered CP GUIDS can be found in the Windows registry at:
; HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
;
; Replace <CP_GUID> with the GUID of the specific CP.  The string should be in the
; form {aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee} and choose Enable to not filter the CP
; and Disable to filter the CP.
; (only the opposite to the default has any effect)
;
;<CP_GUID>={Enable|Disable}
;"

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.