A particular user cannot pass POA authentication even though the password is correct, you can verify the password when you do a challenge response and choose to show password.
First seen in
SafeGuard Device Encryption
This appears to be an issue with a corrupted certificate. You can see that the password is correct if you do a challenge-response and choose to show the password, but every time the user logs on to Windows, SGN asks for the old password, and even if you type exactly what the POA showed you, it cannot unlock the certificate.
What to do
To resolve this, you need to remove the corrupted certificate and generate a new one for the affected user. Do this as follows:
- Go to SafeGuard Management Centre | Users and Computers | Users OU | [select user account] | Certificate tab.
- Delete the user certificate from this section.
- On the affected client computer, authenticate at POA using Challenge/Response (or using a POA authenticated account assigned to that computer with the 'pass through logon to Windows' option disabled).
- Log on to Windows as the affected user, you may receive an alert prompting for the old password, select Cancel if it appears.
- Right-click on the SGN systray icon | Synchronise, ensuring that the client has successfully synchronised.
- Check that the certificate is no longer assigned to the user by right-clicking the SGN systray icon| Display| Certificate, it should give a warning that the certificate cannot be read.
- Once you have confirmed that the certificate is no longer present, log off and log on again as the affected user. This will generate the new certificate.
- Information about receiving new certificates should be displayed - if not, log out and log in again.
- Ensure the client synchronises successfully with the Management Center again.
- Go to SafeGuard Management Center | Users and Computers | Users OU | User account | Certificate tab to ensure that a new certificate has been created and assigned to the user.
- On the client computer, right-click the SGN systray icon| Display| Certificate, it should show that a certificate is now assigned to the user.
- Restart the computer. The user should now be able to log into POA and Windows successfully.
Related KBA: SafeGuard Enterprise: Password change scenarios