Password Flow From Active Directory to eDirectory

Overview [1]#

When a user performs a password change within Microsoft Active Directory when Microsoft Active Directory Driver is utilized we describe the flow through the various components which make up the DirXML PWFILTER.DLL process.

Generally, the process utilizes well known and published APIs provided from Microsoft as described in Active Directory and Passwords.

You will probably never need these details unless you need them for Troubleshooting DirXML.

DirXML Remote Loader#

Although we describe Password Flow From Active Directory to eDirectory using a DirXML Remote Loader, the same process would be used when running EDirectory on the Windows server.

Files #

The location of the files may vary based on the install media.


During the installation of a DirXML Remote Loader for Microsoft Active Directory Driver files listed below are all in the install media's nt/dirxml/system32 directory before IDM 3.5.x. As of IDM 3.5.x 64-bit Domain Controller (DC) support was added and as a result the pwfilter.dll and psevent.dll files are located in architecture-specific directories such as system32_dlls and system64_dlls.

Patches #

For patches the DirXML Remote Loader files listed below are all in the install media's <extracted file>\x64

This was with the IDM402_AD_4003 patch.

Files Names#

  • PWFILTER.DLL - Main Password Sync application to capture Passwords. Placed in the directory defined by %SYSTEMDIRECTORY% (usually /windows/system32)
  • PSEVENT.DLL - Placed in the directory defined by %SYSTEMDIRECTORY%
  • PASSSYNCCONFIG.CPL - Password Sync Control Panel Applet. Placed in the directory defined by %SYSTEMDIRECTORY%
  • PassSyncConfigR.dll - Location and file Varies with Language (Under the <extracted file>\x64\nls\ folder)

Registry Keys #

  • HKLM/SOFTWARE/Novell/PassSync/ - Driver Machine:REG_DWORD:
    • 0x1 tells the passsyncconfig.cpl that this is where the driver (shim) is running
    • 0x0 tells the passsyncconfig.cpl that the driver (shim) is not running on this machine.
  • HKLM/SOFTWARE/Novell/PassSync/Data -
    • Domains: REG_MULTI_SZ: This should be the DNS name of your domain
  • HKLM/SOFTWARE/Novell/PassSync/Data/
    • Enum Data: REG_BINARY : ....
    • Enum Index: REG_DWORD : ....
    • State: REG_DWORD : ....
  • HKLM/SOFTWARE/Novell/PassSync/Data/<username>/ -
    • On the hostname running the shim, they will be entries of each user waiting for the password changes to flow from across the driver channel. Data's contents cannot normally be viewed
    • On each domain controller will pick up password changes and store them in a registry key for each user. The DirXML PWFILTER.DLL will then forward them to the hostname defined in HKLM/SOFTWARE/Novell/PwFilter-Host Names.
  • HKLM/SOFTWARE/Novell/PwFilter (32 Bit & 64 Bit)
    • Host Names: REG_MULTI_SZ: - This is the DNS name of the Domain Controller (DC) running the remote loader (or driver). The pwfilter.dll uses this key to know which server is running the driver shim to send the password changes to synchronize over the channel.
  • HKLM/SYSTEM/CurrentControlSet/Control/Lsa - Notification Packages:
  • TimeToLive - (Not sure where this is)
HKLM/SOFTWARE/Novell/PassSync/Data/ contents cannot normally be viewed indicates the contents cannot normally be seen. Permissions in here are limited to SYSTEM (Local System) only and are denied even to Administrator. You must grant the user permissions to Data and below in order to see the keys.

Driver Parameters#

There are couple of Driver Parameters that effect the Password Flow From Active Directory to eDirectory

Password Sync Timeout (minute)#

Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded.

The recommended value is at least three times the value of the polling interval. For example, if the Driver Polling Interval is set to 10 minutes, set the Password Sync Timeout to 30 minutes.

  • If this value is set to 0, password synchronization is disabled for this driver.
  • If this value is set to -1, passwords never expire. It can reach a maximum value of 2,147,483,647 minutes.
  • The default value is 5 minutes.

DC Passwords TimeToLive (minute) #

Specify the time limit in minutes for the passwords to be stored in the Domain Controller registry.

This allows the passwords that are stored in the Domain Controller registry to time out if the password does not synchronize to the driver within the specified time.

  • If this value is set to -1, passwords will never be deleted from the registry.
  • The default value is -1.

We assume #

That you have verified that the Driver is set to synchronize Passwords and Global Config Values in the properties of the Driver.

Flow Microsoft Active Directory to EDirectory#

The DirXML PWFILTER.DLLwakes up every minute (this is hardcoded) and looks at each entry entry in KLM/SOFTWARE/Novell/PassSync/Data/<username>/

  • Password is changed in Microsoft Active Directory by some means.
  • Password change is picked up at a domain controller and DirXML PWFILTER.DLL is notified. (This is done by the fact that DirXML PWFILTER.DLL is running and is a notification package in HKLM/SYSTEM/CurrentControlSet/Control/Lsa)
  • DirXML PWFILTER.DLL places the password change in a new registry key under HKLM/SOFTWARE/Novell/PwFilter/Data/<username> for that user example: Password change for BOB1 would be in HKLM/SOFTWARE/Novell/PwFilter/Data/BOB1.
  • The DirXML PWFILTER.DLL then sends the password change to the machine running the remote loader (or driver) (Determined by HKLM/SOFTWARE/Novell/PwFilter/Host Names:) and the password change is placed under the KLM/SOFTWARE/Novell/PassSync/Data/<username>/ registry key on the remote loader (or driver) machine. This only occurs if the Remote loader is up and running and connected to the IDM Engine.
  • The machine running the Microsoft Active Directory Driver picks up the password change and sends it across the driver channel (as a normal XML document) to eDirectory.
  • It follows the rules in eDirectory and sets the nspmDistributionPassword, which depending upon the Universal Password policy rules defined will sync to the NDS password and potentially the Simple Passwords and across to other connected systems.
The Remote Loader will use the rights granted through the application username. If the user does not have rights to read the registry value for HKLM/SOFTWARE/Novell/PassSync/Data/ it will fail.

Default Driver Behavior. #

The password is sent across as a password element from the Remote Loader to the Driver and through to eDirectory. Note that the password is within a password element and is NOT converted to the NspmDistributionPassword attribute prior to setting the password. Remember this as when working with the Microsoft Active Directory Driver on the Publisher Channel as you would need to check for a password change event rethan a modify of the NspmDistributionPassword Attribute.

The password will NOT synchronize from AD to eDirectory if the user object is does not have an association. You will receive the error: Message: Code(-8019) Operation vetoed on unassociated object.

When getting password sync traces for IDM, a Level 3 trace will show you the processing of policies and troubleshooting most password sync issues. A Level 5 trace will give you more detail on password sync processing, which may be helpful at times.

Flow EDirectory to Microsoft Active Directory]#

Generally, the Subscriber Channel flow will be as it is done in most drivers. The NspmDistributionPassword attribute would shows as being Modified until the Command Transformation Policy Set. The DirXML PWFILTER.DLL is NOT involved in the Subscriber Channel flow.

For our discussion, we assume the user is already associated.

  • Password change is received.
  • If User object has a Password Policy assigned to them and that password policy has Universal Password enabled and it is set to Synchronize Distribution Password when setting Universal Password, the password will be copied to the NspmDistributionPassword attribute on the user object.
  • The password change will be captured by IDM and sent across the Subscriber Channel.
  • Under the Command Transformation Policy Set a rule 'Convert modifies of a NspmDistributionPassword attribute to a modify password operation' will copy password in the NspmDistributionPassword attribute over to a password element and strips off the NspmDistributionPassword attribute.
  • The password element is sent across the remote loader and updates the password through AD calls. (If you can update the password on the server running the remote loader with users and computers, the driver should be able to update the password.)
To get additional tracing detail of password synchronization, use a trace Level 5 on the the Remote Loader, if using a remote loader. Or Trace Level 5 on the Driver, if the IDM engine and eDirectory is running locally on the Windows server. You should see [PWD] tagged lines in the trace.

PWFILTER Windows Events#

PWFILTER Windows Events describes the various events you might encounter.

Create a MAD Service To Run regedit[2]#

Create a MAD Service To Run describes how to Create a MAD Service To Run. We think it may be helpful in understanding how Services work mostly for Troubleshooting Purposes.

More Information #

There might be more information for this subject on one of the following: