Enabling Single Sign-On (SSO) technology
Single Sign-On (SSO) technology allows you to automatically log into the operating system using the credentials of the Authentication Agent. This means that a user needs to enter a password only once when signing in to Windows (Authentication Agent account password). Single Sign-On technology also lets you automatically update the Authentication Agent account password when the Windows account password is changed.
When using Single Sign-on technology, the Authentication Agent ignores the password strength requirements specified in Kaspersky Security Center. You can set the password strength requirements in the operating system settings.
Enabling Single Sign-On technology
How to enable the use of Single Sign-On technology in the Administration Console (MMC)
How to enable use of Single Sign-On in the Web Console
For Single Sign-On to work, the Windows account password and the password for the Authentication Agent account must match. If the passwords do not match, the user needs to perform the authentication procedure twice: in the interface of the Authentication Agent and before loading the operating system. These actions need to be performed only once to synchronize the passwords. After that, Kaspersky Endpoint Security replaces the password of the Authentication Agent account with the password of the Windows account. When the Windows account password is changed, the application will automatically update the password for the Authentication Agent account.
Third-party credential providers
Kaspersky Endpoint Security 11.10.0 adds support for third-party credential providers.
Kaspersky Endpoint Security supports the third-party credential provider ADSelfService Plus.
When working with third-party credential providers, Authentication Agent intercepts the password before the operating system is loaded. This means that a user needs to enter a password only once when signing in to Windows. After signing in to Windows, the user can utilize the capabilities of a third-party credential provider for authentication in corporate services, for example. Third-party credential providers also allow users to independently reset their own password. In this case, Kaspersky Endpoint Security will automatically update the password for Authentication Agent.
If you are using a third-party credential provider that is not supported by the application, you may encounter some limitations in Single Sign-On technology operation. When signing in to Windows, two profiles will be available to the user: in-system credential provider and third-party credential provider. The icons of these profiles will be identical (see the figure below). The user will have the following options for continuing:
- If the user selects the third-party credential provider, Authentication Agent will not be able to synchronize the password with the Windows account. Therefore, if the user has changed the Windows account password, Kaspersky Endpoint Security cannot update the password for the Authentication Agent account. As a result, the user needs to perform the authentication procedure twice: in the interface of the Authentication Agent and before loading the operating system. In this case, the user can utilize the capabilities of a third-party credential provider for authentication in corporate services, for example.
- If the user selects the in-system credential provider, Authentication Agent will synchronize the passwords with the Windows account. In this case, the user cannot utilize the capabilities of a third-party provider for authentication in corporate services, for example.
System authentication profile and third-party authentication profile for Windows sign-in