Problem
An SSO enabled user can't log in after their network password has been changed and is being presented with 'Access Denied' at the pre-boot login screen.
Please see our article below to check what message you're receiving at the pre-boot login screen:
KB247 - How to start a system that is Full Disk Encrypted
Cause
The user's password has been changed outside of their Windows account. This could be for several reasons:
- A user has changed their password on another workstation.
- A user has their password changed for them on a server e.g. using Active Directory on the Domain server.
If this is the case, then the local pre-boot information has become out of sync.
Note:
The DESlock+ Full Disk Encryption login page is pre-operating system and will not receive the change until the user has successfully logged into their Windows account.
Once the user has successfully logged into their Windows account, SSO will automatically re-sync.
Resolution
At the pre-boot login screen the user should enter their previous password. (this is because the pre-boot login can't receive the changed credentials pre-os and will only know the previous password)
When the user boots to Windows, they will need to log into Windows manually as SSO will fail. Once they have logged into Windows, SSO will automtically re-sync.
If a user changes their Windows password from within their Windows account, the pre-boot login will be automatically updated so Single Sign-On will still work.
If the user has forgotten their previous password, please follow the article below in order to regain access:
KB143 - How do I reset a managed user's Full Disk Encryption password?
Related Articles:
KB221 - Why does Single Sign-On (SSO) not log me in to Windows
KB187 - What is Single Sign-On (SSO)
Add a comment
Please log in or register to submit a comment.