Quite often a user's password is changed directly in Active Directory or on a machine which did not have the SafeGuard client installed on. As the SafeGuard client was not there to capture the password change, and update the user's certificate, SafeGuard is unaware the user has changed their password. As a result, SafeGuard prompts the user for an 'old password' when they try to log in to their Windows profile.
What to do
If the user knows their old password, simply entering it into the prompt will update their certificate and push the new certificate back to the server.
If they do not know the old password, the easiest way to resolve this issue is to manually change the user's Active Directory password to a temporary password and to manually re-create their SafeGuard certificate so it matches the temporary password. The user can then log into Windows, on a machine with the SafeGuard client, and perform a standard Windows password change. Their AD and SafeGuard certificate passwords will now be back in sync.
The steps below will guide you through this process:
- If the user is unable to log in at the POA, due to the forgotten password, perform a Challenge/Response to get them past the POA to the Windows login prompt.
- Reset the user's password in AD with a temporary password (e.g. password).
- Have the user log into Windows with the temporary password and click Cancel on the Old Password prompt from SafeGuard.
- In the SafeGuard Management Center > Users and Computers, locate the user, open their Certificate tab, and left-click to highlight their certificate (screenshot one).
- Delete the user's old certificate by selecting, in the toolbar, Actions > Remove (screenshot two).
- Create a new certificate by selecting Actions > Add Certificate and ensure the certificate's password is the user's temporary password (screenshot three).
- Have the user synchronize the client with the server by right-clicking the SafeGuard systray icon and selecting Synchronize
- Once the sync is complete, the user should be alerted about their new certificate. Have them log out of Windows and back in again (still with the temporary password). They should not be prompted for their old password.
- Have the user change their password using Ctrl+Alt+Del. SafeGuard will generate a new certificate with this new password and push it back to the server.
The correct way of changing user's SafeGuard certificate password is via :
POA > Options > Check 'Change password at next logon' or
Ctr+Alt+Del > Change A Password... in Windows on their SafeGuard protected machine.