You will probably never need these details unless you need them for Troubleshooting DirXML.Password Modify Operation from a Domain Controller is intercepted by the AD Password Filter process provides a Notification to the DirXML PWFILTER.DLL
The Flow is similar to:
- The Microsoft Password Filter process provides a notification to the DirXML PWFILTER.DLL
- Thread 1 of DirXML PWFILTER.DLL traps a password in cleartext.
- Thread 1 of DirXML PWFILTER.DLL encrypts the password using Domain Controller's Public Key
- Thread 1 of DirXML PWFILTER.DLL secures encrypted password to Windows registry on Domain Controller (HKLM/SOFTWARE/Novell/PwFilter/Data/username)
- Thread 1 of DirXML PWFILTER.DLL notifies Thread 2 of pwfilter of work
- Thread 2 of DirXML PWFILTER.DLL receives notification from thread 1
- Thread 2 of DirXML PWFILTER.DLL reads encrypted password from registry and decrypts the password
- Thread 2 of DirXML PWFILTER.DLL then encrypts password using DirXML Shim machine Public Key.
- Thread 2 of DirXML PWFILTER.DLL makes Remote Procedure Call (RPC) Call to DirXML Driver (or DirXML Remote Loader) and puts the encrypted password HKLM/SOFTWARE/Novell/PassSync/Data/username/
- The machine running the Microsoft Active Directory Driver picks up the password change and sends it across the driver channel (as a normal XML document) to eDirectory.
- It follows the rules in eDirectory and DirXML to determine how to set the nspmDistributionPassword, which depending upon the Universal Password Policy Definitions which define will sync to the NDSPassword and potentially the Simple Passwords and across to other Connected Applications.
Files #The location of the files may vary based on the install media.
Installation#During the installation of a DirXML Remote Loader for Microsoft Active Directory Driver files listed below are all in the install media's nt/dirxml/system32 directory before IDM 3.5.x. As of IDM 3.5.x 64-bit Domain Controller (DC) support was added and as a result the pwfilter.dll and psevent.dll files are located in architecture-specific directories such as system32_dlls and system64_dlls.
Patches #For patches the DirXML Remote Loader files listed below are all in the install media's <extracted file>\x64
This was with the IDM402_AD_4003 patch.
- PWFILTER.DLL - Main Password Sync application to capture Passwords. Placed in the directory defined by %SYSTEMDIRECTORY% (usually /windows/system32)
- PSEVENT.DLL - Placed in the directory defined by %SYSTEMDIRECTORY%
- PASSSYNCCONFIG.CPL - Password Sync Control Panel Applet. Placed in the directory defined by %SYSTEMDIRECTORY%
- PassSyncConfigR.dll - Location and file Varies with Language (Under the <extracted file>\x64\nls\ folder)
Windows registry Keys #DirXML Driver or DirXML Remote Loader Machine: REG_DWORD:
- 0x1 tells the passsyncconfig.cpl that this is where the driver (DirXML Shim) is running
- 0x0 tells the passsyncconfig.cpl that the driver (DirXML Shim) is not running on this machine.
- Enum Data: REG_BINARY : ....
- Enum Index: REG_DWORD : ....
- State: REG_DWORD : ....
HKLM/SOFTWARE/Novell/PwFilter (32 Bit & 64 Bit) #Host Names: REG_MULTI_SZ: - This is the DNS name of the Domain Controller (DC) running the DirXML Remote Loader (or DirXML Driver). The pwfilter.dll uses this key to know which server is running the driver DirXML Shim to send the Password Changes to synchronize over the channel.
HKLM/SYSTEM/CurrentControlSet/Control/Lsa #This is how the Local Security Authority (LSA) provides Notification to the various pwdfilter Packages that a Password Modify Operation has occurred. Do not remove other values.
- Reg_MULTI_Sz: PWFILTER This notifies the DirXML PWFILTER.DLL of a password change.
Driver Parameters#There are couple of Driver Parameters that effect the Password Flow From Active Directory to eDirectory
The recommended value is at least three times the value of the polling interval. For example, if the Driver Polling Interval is set to 10 minutes, set the Password Sync Timeout to 30 minutes.
- If this value is set to 0, Password Synchronization is disabled for this driver.
- If this value is set to -1, passwords never expire. It can reach a maximum value of 2,147,483,647 minutes.
- The default value is 5 minutes.
DC Passwords TimeToLive (minute) #Specify the time limit in minutes for the passwords to be stored in the Domain Controller registry.
This allows the passwords that are stored in the Domain Controller registry to time out if the password does not synchronize to the driver within the specified time.
- If this value is set to -1, passwords will never be deleted from the registry.
- The default value is -1.
We assume #That you have verified that the Driver is set to synchronize Passwords and Global Config Values in the properties of the Driver.
Default Driver Behavior. #The password is sent across as a password element from the Remote Loader to the Driver and through to eDirectory. Note that the password is within a password element and is NOT converted to the NspmDistributionPassword attribute prior to setting the password. Remember this as when working with the Microsoft Active Directory Driver on the Publisher Channel as you would need to check for a password change event rethan a modify of the NspmDistributionPassword Attribute.
The password will NOT synchronize from Microsoft Active Directory to eDirectory if the user object is does not have an DirXML Association. You will receive the error: Message: Code(-8019) Operation vetoed on unassociated object.
Flow EDirectory to Microsoft Active Directory]#Generally, the Subscriber Channel flow will be as it is done in most drivers. The NspmDistributionPassword attribute would shows as being Modified until the Command Transformation Policy Set. The DirXML PWFILTER.DLL is NOT involved in the Subscriber Channel flow.
For our discussion, we assume the user is already associated.
- Password change is received.
- If User object has a Password Policy assigned to them and that password policy has Universal Password enabled and it is set to Synchronize Distribution Password when setting Universal Password, the password will be copied to the NspmDistributionPassword attribute on the user object.
- The password change will be captured by IDM and sent across the Subscriber Channel.
- Under the Command Transformation Policy Set a rule 'Convert modifies of a NspmDistributionPassword attribute to a modify password operation' will copy password in the NspmDistributionPassword attribute over to a password element and strips off the NspmDistributionPassword attribute.
- The password element is sent across the remote loader and updates the password through AD calls. (If you can update the password on the server running the remote loader with users and computers, the driver should be able to update the password.)
Create a MAD Service To Run regedit#Create a MAD Service To Run describes how to Create a MAD Service To Run. We think it may be helpful in understanding how Services work mostly for Troubleshooting Purposes.
More Information #There might be more information for this subject on one of the following:
- Active Directory and Passwords
- Microsoft Active Directory Driver
- PWFILTER Windows Events
- Password Management Applications
- Web Blog_blogentry_260814_1
- [#1] TID 3614450 - Password Sync 2.0 - AD to eDirectory Components
- [#2] How To Create a Service under Windows
- TID 3650562 - Troubleshooting Password Synchronization in Identity Manager - based on information observed on 2014-08-27
- TID 3554990 - Troubleshooting Password Synchronization from the Active Directory Filter to the Active Directory Driver. - based on information observed on 2014-08-27
- TID 7003222 - [AD to EDIR Password sync failing & no (PWD) tracing in remote loader logs - based on information observed on 2014-08-27
- TID 7000896 - (-1208) Error in PassSync Control Panel Applet - based on information observed on 2014-08-27
- TID 7006575 - AD to eDir PassSync not working - pbValidDC = FALSE, PassSyncExchangeData() returned 0x00000774
- TID 3304529 - Passwords changes made in AD are not going into eDirectory
- TID 3976631 - What determines the Status of the Filter in the IDM PassSync
- TID 7012989 - Detailed information on the new IDM 402 AD Driver feature "DC Passwords TimeToLive (minute)