6.2 Setting Up Password Synchronization Filters

The Active Directory driver must be configured to run on only one Windows server. However, for password synchronization to occur, you must install a password filter (pwFilter.dll) on each domain controller and configure the registry to capture passwords to send to the Identity Vault.

The password filter is automatically started when the domain controller is started. The filter captures password changes that users make by using Windows clients, encrypts the changes, and sends them to the driver to update the Identity Vault.

NOTE:

  • You do not need to install a password filter on a read-only domain controller.

  • The Active Directory driver can detect whether a user account password is modified by an administrator or by the user themselves. Based on this information, the Identity Manager engine sets the password during synchronization using the administrator account or user account, as appropriate.

  • Password filter allows you to specify multiple hosts.

To simplify installation and administration of password filters, an Identity Manager PassSync utility is added to the Control Panel when the driver is installed. This utility gives you two choices for setting up the password filters, depending on whether you want to allow remote access to the registry on your domain controllers:

6.2.1 Allowing Remote Access to the Registry

If you allow remote access to the registry of each domain controller from the machine where you are running the driver, use the procedure in this section to configure the password filter. It allows the Identity Manager PassSync utility to configure each domain controller from one machine.

If you configure all the domain controllers from one machine, the Identity Manager PassSync utility provides the following features to help you during setup:

  • Lets you specify which domain you want to participate in password synchronization.

  • Automatically discovers all the domain controllers for the domain.

  • Lets you remotely install the pwFilter.dll on each domain controller.

  • Automatically updates the registry on the machine where the driver is running and on each domain controller.

  • Lets you view the status of the filter on each domain controller.

  • Lets you reboot a domain controller remotely.

    Rebooting the domain controller is necessary when you first add a domain for password synchronization, because the filter that captures password changes is a DLL file that starts when the domain controller is started.

Because setting up the filter requires rebooting the domain controller, you might want to perform this procedure after hours, or reboot only one domain controller at a time. If the domain has more than one domain controller, keep in mind that each domain controller where you want Password Synchronization to function must have the filter installed and must be rebooted.

  1. Confirm that port 135 (the RPC endpoint mapper) is accessible on the domain controllers and on the machine where the Active Directory driver is configured to run.

    If you are using NetBIOS over TCP, you also need these ports:

    • 137: NetBIOS name service

    • 138: NetBIOS datagram service

    • 139: NetBIOS session service

    A firewall could prevent the ports from being accessible remotely.

  2. Log in with an administrator account on the computer where the driver is installed.

  3. At the computer where the driver is installed, click Start > Control Panel > Identity Manager PassSync.

    NOTE:Because there may be security policies in place that could block the PassSync utility from running, we recommend you run the utility using an account with Administrator privileges.

    Identity Manager PassSync Icon

  4. In the dialog box that is displayed, click Yes to specify that this is the machine where the driver is installed.

    Is this the machine where the DirXML driver is configured to run?

    You only receive this prompt the first time you run the utility. After you complete the configuration, you are not shown this prompt again unless you remove this domain from the list.

  5. Click Add, then browse to and select the domain that you want to participate in password synchronization.

    The drop-down list displays known domains.

  6. If no domains are listed, or if a 1208 error is displayed, you must manually type the domain name.

    Password synchronization utility to add domains.

    The Identity Manager PassSync utility discovers all the domain controllers for that domain, and installs pwFilter.dll on each domain controller. It also updates the registry on the computer where you are running the drivers, and on each domain controller. This might take a few minutes.

    The pwFilter.dll doesn’t capture password changes until the domain controller has been rebooted. The Identity Manager PassSync utility lets you see a list of all the domain controllers and the status of the filter on them. It also lets you reboot the domain controller from inside the utility.

  7. (Optional) Specify a computer in the domain, then click OK.

    If you leave the Computer field blank, PassSync queries the local machine. Therefore, if you are running PassSync on a domain controller, you don’t need to specify a name. PassSync queries the local machine (in this case, a domain controller) and gets (from the database) the list of all domain controllers in the domain.

    If you aren’t installing on a domain controller, specify the name of a computer that is in the domain and that can get to a domain controller.

    If you receive an error message indicating that PassSync can’t locate a domain, specify a name.

  8. Click Yes to use the domain’s DNS name.

    Do you want to use the DNS name for the domain?

    You can select No, but the DNS name provides more advanced authentication and the ability to more reliably discover domains in bigger installations. However, the choice depends on your environment.

  9. Select the name of the domain you want to participate in password synchronization from the list, then click Filters.

    List of synchronized domains.

    The utility displays the names of all the domain controllers in the selected domain and the status of the filter.

    Password filter status

    The status for each domain controller should display the filter state as Not installed. However, it might take a few minutes for the utility to complete its automated task, and in the meantime the status might say Unknown.

  10. To install the filter, click Add, then click Reboot.

    You can choose to reboot the domain controllers at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has been rebooted.

  11. When the status for all domain controllers is Running, test password synchronization to confirm that it is working.

  12. To add more domains, click OK to return to the list of domains, and repeat Step 5 through Step 11.

6.2.2 Not Allowing Remote Access to the Registry

If you do not want to allow remote access to the registry of each domain controller, you must set up the password filters on each domain controller separately. To do this, go to each domain controller, install the remote loader service so you have the Identity Manager PassSync utility, and use the utility on each machine to install the password filter and update the registry.

In the procedure in this section, you install the driver so that you have the Identity Manager PassSync utility. Then you use the utility to install the pwFilter.dll file, specify the port to use, and specify which host machine is running the Identity Manager Driver for Active Directory.

Because setting up the filter requires rebooting the domain controller, you might want to perform this procedure after hours, or reboot only one domain controller at a time. If a domain has more than one domain controller, keep in mind that each domain controller where you want Password Synchronization to function must have the filter installed and must be rebooted.

This procedure is for any domain controller that does not have the Active Directory driver installed on it.

  1. Confirm that the following ports are available on both the domain controller and the machine where the Identity Manager Driver for Active Directory is configured to run:

    • 135: The RPC endpoint mapper

    • 137: NetBIOS name service

    • 138: NetBIOS datagram service

    • 139: NetBIOS session service

  2. On the domain controller, install only the Active Directory driver. For more information, see Considerations for Installing the Identity Manager Engine in the NetIQ Identity Manager Setup Guide.

    Installing the driver installs the Identity Manager PassSync utility.

  3. Click Start > Settings > Control Panel > Identity Manager PassSync.

    NOTE:Because there may be security policies in place that could block the PassSync utility from running, we recommend you run the utility using an account with Administrator privileges.

    Identity Manager PassSycn Icon

  4. In the dialog box that displays, click No to specify that this machine is not running the Active Directory driver.

    Is this the machine where the driver will run?

    After you complete the configuration, you are not shown this prompt again unless you remove the password filter by using the Remove button in the Password Filter Properties dialog box.

    After you click No, the Password Filter Properties dialog box appears, with a status message indicating that the password filter is not installed on this domain controller.

    Password Filter Properties

  5. Click the Setup button to install the password filter, pwFilter.dll.

  6. For the Port setting, specify whether to use dynamic port or static port.

    Use the static port option only if you have decided to configure your remote procedure call (RPC) for the domain controller differently than the default.

  7. Click Add to specify the hostname of the machine running the Identity Manager driver, then click OK.

    Specify the name of the machine where the Driver is running

    This step is necessary so that the password filter knows where to send the password changes. The password filter captures password changes, and must send them to the Identity Manager driver to update the Identity Manager data store.

  8. Verify that the information specified in Step 5 through Step 7 is correct, then click OK.

  9. Reboot the domain controller to complete the installation of the password filter.

    You can choose to reboot at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has the password filter installed and has been rebooted.

    After the installation is complete and the domain controller is rebooted, the password filter is loaded automatically whenever the domain controller starts.

  10. Check the status for the password filter again by clicking Start > Settings > Control Panel, and double-clicking the Identity Manager PassSync utility.

    Confirm that the status says Running.

  11. Repeat Step 2 through Step 10 for each domain controller that you want to participate in password synchronization.

  12. When the status says Running for all the domain controllers, test password synchronization to confirm that it is working by having a user change his or her password by using the Windows Client. This should initiate the synchronization process.