What happens if a user changes their password outside of QESSO?
By default, QESSO uses encryption keys derived from the Windows password to protect SSO data of end-users. If this password is changed without QESSO being notified the SSO engine won’t be able to decrypt the user’s SSO data, and the user will be prompted for his or her old password.
When the user password has been changed outside the Enterprise SSO solution, the SSOWatch secondary passwords cannot be deciphered by the new user password.
There are three possible solutions:
1. The user gives the old password to SSOWatch. SSOWatch deciphers the secondary passwords and ciphers them with the new primary password.
2. Execute a new change of user password in the Enterprise SSO console by an QESSO administrator (the password change by the user in the Windows session could not get the secondary passwords). The passwords will then be deciphered by the administrator key and ciphered with the new password given to the user by the administrator. A password modification done at console level is not affected by the Active Directory (AD) renewal password policy (minimum duration and old password dictionary). This is because it is executed via an account having rights to reinitialize the passwords in AD and not by the user himself.
3. The user clicks on the "Reinitialize" button while SSOWatch requires the old password. The consequence is the suppression of all the user's secondary passwords. They must be manually collected again during subsequent collect phases. This can affect the delegations the user has given to other users as long as there is no password associated to the delegated application. It does not affect the delegations the user receives from other users.
- This operation can be qualified as "dangerous" as the user loses all his passwords and perhaps does not know them.
- It is possible to forbid this reinitialization option by setting to '1' the following 'DontAllowSSOReinitialization' value (DWORD) under HKLM\Software\Enatel\WiseGuard\FrameWork\Authentication registry key.