cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
141
Views
0
Helpful
1
Replies
Highlighted
Beginner

Single Sign On “Single User” Enforcement in NAM module

Hi

I have a costumer that is using the Anyconnect NAM module to support eap-tls with machine certificate. By default the "Single Sign On “Single User” Enforcement" is enabled, which means that you can not change user (in windows - log off/log on). By changing a registry key you are able to disable this, but i´m not sure of the consequences by doing this.

Since i´m only using machine certificates i don´t see any issues.

Any thoughts or pros/cons ?

 

Regards Henrik

Everyone's tags (1)
1 REPLY 1
Rising star

Re: Single Sign On “Single User” Enforcement in NAM module

Here is the reg hack:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.
0 allows multiple users to be logged on.

IMO it depends on what exactly you are trying to accomplish. Just know that if only doing computer auth for 8021x via eap-tls that if you allow multiple users that each user can piggyback off the one authenticated comp session. But like you said since you are not performing eap-chaining to also enforce user auth I agree and do not see a major issue. I am actually somewhat surprised that you are using NAM just for eap-tls with comp auth. I personally think using the native supplicant is easier if that is all you wish to accomplish.

Good luck & HTH!