Password Sync Interceptor for Active Directory
MyPass Cloud supports SSPR and password sync from multiple Microsoft Active Directories from a single tenant. As part of this, MyPass Cloud can capture password changes on Microsoft Active Directories and forward these to other integrated credential repositories.
To achieve this, MyPass Cloud has a small software package installed on Microsoft Active Directory Domain Controllers to capture and securely forward passwords to the MyPass Cloud for synchronization. The Interceptor installs a hook into the domain controller so every Password Reset and Password Change can be securely forwarded. The Interceptor has to be installed on all Domain Controllers of the domain for effective operation.
For the Interceptor to function, both .NET version 4.6.2 or higher and MSDTC DTC (Distributed Transaction Coordinator) must be running on the server domain controller.
- Open up the installer and execute the installer.
- In the “License Agreement” screen, read through & accept the license agreement by clicking on the “Next” button.
- You should then see the “Customer Information” screen. The user can now enter their User and Organization name and click on the “Next” button.
- In the “Destination Folder” screen, click on the “Change” button to change the location where the application is installed.
- For the password synchronisation target configuration, there are two options. The “Server Name” option is commonly used in normal on-premise environments. We do, however, recommend using SSL encryption in the communication with the database. If you have SSL set up on the database server, please follow the following instructions to install the certificate on the DC server. In the case where you’re using a domain server & certificate, this step is not required. Use the MMC snap-in to export the Trusted Root Certification Authority used by the server certificate. To use SSL encryption, you must install a certificate on the server. Follow these steps to install the certificate by using the Microsoft Management Console (MMC) snap-in.
- We are ready to install the Interceptor. To continue, click on the “Install” button.
- The Installation process is now complete. To close this dialog, click on the “Finish” button.
It is also possible to install the Interceptor using the command line. When installing, you will need to give the Interceptor the name of the MyPass Cloud server you are connecting to. Please give the FQDN of the server and make sure the name is resolvable. After the installation has completed, you will need to reboot the machine before the Interceptor will work. (If you need to make a custom connection string to the database, you will need to use the GUI to install.)
/quiet SERVER = tenant-sync-fqdn
The Interceptor provides a few configuration options that control its operation. These options are controlled through 4 registry values for filtering of account passwords to be synchronized and 4 registry values for the control of creating events in Windows Event Log.
To locate and edit the Registry, open and enter regedit.
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Password Interceptor
For every new value, right-click on any blank surface on the right side of the window and create each registry value as “String Value”.
Each filter value is treated as a single regular expression in .NET.
- AccountNamePatternAllow: Filters which specific account name pattern can be forwarded by the interceptor
- AccountNamePatternDeny: Deny specific account name pattern from being forwarded by the interceptor
- GroupNamePatternAllow: Allow which group name pattern can be forwarded by the interceptor. The value will check on every group item found in the “memberOf” attribute.
- GroupNamePatternDeny: Deny specific group name pattern from being forwarded by the interceptor
Between the allow and deny filters, the deny filter is the stronger one. This means if both filters are enforced, the deny filter will deny any users who are allowed by the allow filter. Account and group name filters are equally weighted; if both are enforced and a user fails with one of the filters, the user reset is not forwarded. The account name is the SAMAccount name, the group name is the DN of the group name, eg: “CN=myusers,OU=Groups,OU=somewhere,DC=Domaim,DC=local”
Some examples to allow sync of the users in a specific group.
// To all only the users in myusers group
GroupNamePatternAllow = "CN=myusers,OU=Groups,OU=somewhere,DC=Domaim,DC=local"
// To specify only the group name, not the OU (the below will still work if the group is moved in the OU structure.):
GroupNamePatternAllow = "CN=myusers,"
// To deny users in any group with the name “_admin” in it:
GroupNamePatternAllow = "_admin"
The following 4 registry values control the event log entries that are written to domain controller local event logs.
- EventLogGenerateEventForFailedPassingAccountNamePatternAllow = false / true
- EventLogGenerateEventForFailedPassingAccountNamePatternDeny = false / true
- EventLogGenerateEventForFailedPassingGroupNamePatternAllow = false / true
- EventLogGenerateEventForFailedPassingGroupNamePatternDeny = false / true
If these values are set to true, the Interceptor will create an event in the Event log depending on which value is true. These event log values create an event every time a password is not forwarded, by their respective registry filter value.
- EventLogGenerateEventForFailedPassingAccountNamePatternAllow: An event is created when AccountNamePatternAllow failed to forward the password
- EventLogGenerateEventForFailedPassingAccountNamePatternDeny: An event is created when AccountNamePatternDeny failed to forward the password
- EventLogGenerateEventForFailedPassingGroupNamePatternAllow: An event is created when GroupNamePatternAllow failed to forward the password
- EventLogGenerateEventForFailedPassingGroupNamePatternDeny: An event is created when GroupNamePatternDeny failed to forward the password