Users roaming windows profiles are being written to the server on login on workstations that have SecureLogin installed.

  • 7940284
  • 19-Aug-2009
  • 24-Jan-2014

Environment

SecureLogin
SecureLogin SSO
All Versions

Situation

Issue

Customer is using SecureLogin in a Microsoft ADS environment. They are using Windows 2000 workstations and have enabled roaming windows profiles.

SecureLogin can be configured to save the offline cache in the user’s roaming profile Application Data\SecureLogin directory (Note: the Application Data directory is hidden by windows default so you may have to view hidden files to see it).

The customer noticed when a new user is created in AD, their roaming windows profile is being written to the server on login on workstations that have SecureLogin installed.

When SecureLogin is removed from the workstation and the user’s profile is deleted (so it is as if they are a new user with no profile), the customer observed the profile is NOT copied on login. It is copied on LOGOUT only.

The customer wants to know why the profile is copied to the server on initial login.

Resolution

Cause

On workstations running Windows 2000 only (NO SecureLogin) the following occurs when a profile is created for the first time.

  1. New User logs on to ADS.
  2. Roaming Profile is created locally on the Workstation c:\documents and settings\username.
  3. When the user logs out, the profile is copied to the server and deleted from the local workstation.
  4. Subsequent logins will copy the profile from the server to the local workstation.
  5. Subsequent logouts will copy the profile from the workstation to the server.

On workstations running Windows 2000 AND SecureLogin, the following occurs when a profile is created for the first time.

  1. User logs on to ADS.
  2. Roaming Profile is created locally on the Workstation c:\documents and settings\username.
  3. Profile is read, closed, and written to the server using standard Windows APIs.
  4. When the user logs out, the profile is copied to the server and deleted from the local workstation.
  5. Subsequent logins will copy the profile from the server to the local workstation (and synchronize the server and workstation copies at logon time since the profile is accessed by SecureLogin).
  6. Subsequent logouts will copy the profile from the workstation to the server.

Microsoft Windows and SecureLogin are working as designed. If any program accesses the profile at login, the same scenario will occur.

Steps 3 and 5 above occur only with SecureLogin is installed for the following reason;

The profile is copied to the server because SecureLogin opens/reads it on login to determine if someone other than the user has changed the user’s ADS password. SecureLogin must read the profile as a security precaution so an administrator cannot simply change a users ADS password and logon as the user to access their SecureLogin secrets and/or run SSO enabled applications.

By reading the roaming profile SecureLogin is able to detect someone other than the user changed the user’s ADS password and prompt for the user’s passphrase before SecureLogin will load.

Solution

Microsoft Windows and SecureLogin are working as designed. If any program accesses the profile at login, the same scenario will occur. The customer found no issues but was merely wanting to know why the profile was accessed as described.