Password Interceptor for Active Directory

MyPass Cloud supports SSPR and password synchronization across multiple Microsoft Active Directories from a single tenant. To enable this, the Password Sync Interceptor captures password changes on domain controllers and securely forwards them to MyPass Cloud for synchronization with integrated systems.

The Interceptor installs a hook on domain controllers to capture all Password Reset and Password Change events. It must be installed on all domain controllers within the domain to function effectively.

🛠️ Requirements

.NET Framework version 4.6.2 or higher
MSDTC (Microsoft Distributed Transaction Coordinator) enabled and running

📦 Installation Steps (GUI)

Run the Interceptor installer.
Accept the License Agreement and click Next.
Enter User and Organization information, then click Next.
In Destination Folder, click Change to select an install path (optional).
For password sync target configuration:
- Use the Server Name option for most environments.
- If using SSL, install the trusted root certificate using MMC Snap-in.
Click Install to start the installation.
After installation completes, click Finish.

⚠️ Important: A reboot of the domain controller is required for the Interceptor to activate.

🧪 Silent Installation (Command Line)

To install silently via command line:

FastPass-PasswordInterceptor.msi /quiet SERVER=tenant-sync-fqdn

Replace tenant-sync-fqdn with the fully qualified domain name of your MyPass Cloud tenant.
After installation, a reboot is required.

Note: For advanced custom connection strings, use the GUI installer.

⚙️ Registry-Based Filter Configuration

Registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Password Interceptor

Create each value as a String Value. All patterns support .NET regex.

🔍 Account & Group Sync Filters

Value	Description
`AccountNamePatternAllow`	Only forward users matching this account name pattern
`AccountNamePatternDeny`	Block users matching this account name pattern
`GroupNamePatternAllow`	Only forward users in matching groups (matches `memberOf` attribute)
`GroupNamePatternDeny`	Block users in matching groups

Deny filters take precedence over allow filters. If a user matches both, the sync is blocked.

💡 Examples

GroupNamePatternAllow = "CN=myusers,OU=Groups,OU=somewhere,DC=Domain,DC=local"
GroupNamePatternAllow = "CN=myusers,"  # Match regardless of OU
GroupNamePatternDeny  = "_admin"       # Block any group containing "_admin"

📋 Custom Event Logging Filters

To enable Windows Event Log messages for filtered-out users, set these String Values to true:

Registry Value	Logs When...
`EventLogGenerateEventForFailedPassingAccountNamePatternAllow`	A user fails the `AccountNamePatternAllow` check
`EventLogGenerateEventForFailedPassingAccountNamePatternDeny`	A user is blocked by `AccountNamePatternDeny`
`EventLogGenerateEventForFailedPassingGroupNamePatternAllow`	A user fails the `GroupNamePatternAllow` group membership check
`EventLogGenerateEventForFailedPassingGroupNamePatternDeny`	A user is blocked by `GroupNamePatternDeny`

These logs help audit which password events were suppressed and why.

🛠️ Requirements​

📦 Installation Steps (GUI)​

🧪 Silent Installation (Command Line)​

⚙️ Registry-Based Filter Configuration​

🔍 Account & Group Sync Filters​

💡 Examples​

📋 Custom Event Logging Filters​