| Author |
Message |
Mike H.
Guest
|
 Posted:
Wed Feb 09, 2005 4:38 am Post subject:
Mobile Users and Domain Password Management |
|
|
We are planning on having mobile computers where the user will be
constantly traveling. We would like to avoid VPN (to unreliable) and
Dial up (to Slow) and will have the users access our network via Citrix
Secure Gateway (CSG). The problem is that the mobile computer is a
member of the domain and it never directly communicates with any domain
controller. How can one manage user passwords? Obviously using CSG we
can have the user change passwords on the domain, but this password
change will never replicate to the locally cached domain information
requiring the user to either remember 2 passwords or change the
passwords twice. Has anyone encountered this problem - if so how did
you solve it? Smart Cards? SecurID? If you do initialize two factor
authentication do you need to do this for all users in the domain?
Thanks in Advance,
Mike H. |
|
| Back to top |
|
 |
S. Pidgorny
Guest
|
| Posted:
Wed Feb 09, 2005 4:19 pm Post subject:
Re: Mobile Users and Domain Password Management |
|
|
In my experience, if we decide to use thin client (i.e. Citrix), we don't
worry that much about passwords on the local workstations, as we don't
expect those to be standard operating environment, for one simple reason: we
cannot manage workstations that never connect to the corporate network. One
exception will be Blackberry, that we can manage wirelessly, but that's not
our Windows at all.
I do not agree that VPN is unreliable. Give it a go.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Mike H." <mhaggerty@gravertech.com> wrote in message
news:1107902310.087411.99710@l41g2000cwc.googlegroups.com...
| Quote: | We are planning on having mobile computers where the user will be
constantly traveling. We would like to avoid VPN (to unreliable) and
Dial up (to Slow) and will have the users access our network via Citrix
Secure Gateway (CSG). The problem is that the mobile computer is a
member of the domain and it never directly communicates with any domain
controller. How can one manage user passwords? Obviously using CSG we
can have the user change passwords on the domain, but this password
change will never replicate to the locally cached domain information
requiring the user to either remember 2 passwords or change the
passwords twice. Has anyone encountered this problem - if so how did
you solve it? Smart Cards? SecurID? If you do initialize two factor
authentication do you need to do this for all users in the domain?
Thanks in Advance,
Mike H.
|
|
|
| Back to top |
|
|
Mike H.
Guest
|
| Posted:
Wed Feb 09, 2005 10:27 pm Post subject:
Re: Mobile Users and Domain Password Management |
|
|
The machines are Windows XP Pro and the mobile users will be keeping
sensitive information on the machine itself.. We need to maintain
password syncronization from the domain to the local cache on the
Windows XP box (users are notorious for losing passwords!). VPN is
unreliable due to the management involved and lack of technical
understanding among users...
Thanks,
Mike H. |
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Thu Feb 10, 2005 3:11 pm Post subject:
Re: Mobile Users and Domain Password Management |
|
|
I urge you to reconsider the approach: without real network connectivity
(like VPN), it make little sense to attempt password synchronisation.
From your description, the issue with VPN is not reliability but
administration and support. Considering your requirements, the alternatives
are going to be more complicated anyway.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Mike H." <mhaggerty@gravertech.com> wrote in message
news:1107966432.043203.78740@z14g2000cwz.googlegroups.com...
| Quote: | The machines are Windows XP Pro and the mobile users will be keeping
sensitive information on the machine itself.. We need to maintain
password syncronization from the domain to the local cache on the
Windows XP box (users are notorious for losing passwords!). VPN is
unreliable due to the management involved and lack of technical
understanding among users...
Thanks,
Mike H.
|
|
|
| Back to top |
|
|
Mike H.
Guest
|
| Posted:
Wed Feb 16, 2005 2:05 am Post subject:
Re: Mobile Users and Domain Password Management |
|
|
| Quote: | I urge you to reconsider the approach: without real network
connectivity
(like VPN), it make little sense to attempt password synchronisation.
|
However with out the requirement to change passwords, your security is
for naught. If you require users to change both a network and local
password, they will inevitably forget their password and require a
reset. Without password synchronization, how can you reset a users
password? How do you prevent them from installing software that is not
approved by the corporation? How do you utilize software installation
from Windows 2003 (by being joined to a domain) to setup and maintain
software on the computer (the laptops do occasionally arrive back in
the office - how ever it it could be anywhere from 1 month to a year
between visits)? Domain connectivity is a must, and VPN is not
feasible (it has been tried - to many ID 10T errors). Users cannot be
relied on to remember passwords nor to change them on a routine
basis... Complication on the administrative is preferable to
complication on the users side! |
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Thu Feb 17, 2005 2:10 pm Post subject:
Re: Mobile Users and Domain Password Management |
|
|
So get rid of the passwords - use likes of smart card instead.
"Mike H." <mhaggerty@gravertech.com> wrote in message
news:1108496099.585460.159380@c13g2000cwb.googlegroups.com...
| Quote: | I urge you to reconsider the approach: without real network
connectivity
(like VPN), it make little sense to attempt password synchronisation.
However with out the requirement to change passwords, your security is
for naught. If you require users to change both a network and local
password, they will inevitably forget their password and require a
reset. Without password synchronization, how can you reset a users
password? How do you prevent them from installing software that is not
approved by the corporation? How do you utilize software installation
from Windows 2003 (by being joined to a domain) to setup and maintain
software on the computer (the laptops do occasionally arrive back in
the office - how ever it it could be anywhere from 1 month to a year
between visits)? Domain connectivity is a must, and VPN is not
feasible (it has been tried - to many ID 10T errors). Users cannot be
relied on to remember passwords nor to change them on a routine
basis... Complication on the administrative is preferable to
complication on the users side!
|
|
|
| Back to top |
|
|
Michael Ströder
Guest
|
| Posted:
Thu Feb 17, 2005 4:42 pm Post subject:
Re: Mobile Users and Domain Password Management |
|
|
S. Pidgorny <MVP> wrote:
| Quote: | "Mike H." <mhaggerty@gravertech.com> wrote in message
news:1108496099.585460.159380@c13g2000cwb.googlegroups.com...
However with out the requirement to change passwords, your security is
for naught. If you require users to change both a network and local
password, they will inevitably forget their password and require a
reset.
So get rid of the passwords - use likes of smart card instead.
|
Is smartcard logon possible for local accounts under Windows XP Prof.?
Ciao, Michael. |
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Sat Feb 19, 2005 6:48 am Post subject:
Re: Mobile Users and Domain Password Management |
|
|
No, only for domain accounts. There are some 3rd-party solutions that enable
local smart cards logon. But you can log on once while connected to the
domain and the local logon will work there after.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Michael Ströder" <michael@stroeder.com> wrote in message
news:t19ee2-h05.ln1@nb2.stroeder.com...
| Quote: |
Is smartcard logon possible for local accounts under Windows XP Prof.?
Ciao, Michael. |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in