Single Sign-On (SSO) and network passwords
An SSO enabled user can't log in after their network password has been changed and is being presented with 'Access Denied' at the pre-boot login screen.
Please see our article below to check what message you're receiving at the pre-boot login screen:
The user's password has been changed outside of their Windows account. This could be for several reasons:
If this is the case, then the local pre-boot information has become out of sync.
The DESlock+ Full Disk Encryption login page is pre-operating system and will not receive the change until the user has successfully logged into their Windows account.
Once the user has successfully logged into their Windows account, SSO will automatically re-sync during the Windows logon process.
The user changing their password must have successfully been authenticated to boot the workstation at the FDE login screen. The user must have used their own credentials to boot the machine.
At the pre-boot login screen the user should enter their previous password. (this is because the pre-boot login can't receive the changed credentials pre-os and will only know the previous password)
When the user boots to Windows, they will need to log into Windows manually as SSO will fail. Once they have logged into Windows, SSO will automatically re-sync and the new password can be used on the next reboot.
If a user changes their Windows password from within their Windows account, the pre-boot login will be automatically updated so Single Sign-On will still work.
If the user has forgotten their previous password, please follow the article below in order to regain access:
keywords: SSO single sign-on sign network password access denied