Password Interceptor for Active Directory
MyPass Cloud supports SSPR and password synchronization across multiple Microsoft Active Directories from a single tenant. To enable this, the Password Sync Interceptor captures password changes on domain controllers and securely forwards them to MyPass Cloud for synchronization with integrated systems.
The Interceptor installs a hook on domain controllers to capture all Password Reset and Password Change events. It must be installed on all domain controllers within the domain to function effectively.
Quick Implementation Pointers
Requirements
- .NET Framework version 4.6.2 or higher
- MSDTC (Microsoft Distributed Transaction Coordinator) enabled and running
Installation Steps (GUI)
- Run the Interceptor installer.
- Accept the License Agreement and click Next.
- Enter User and Organization information, then click Next.
- In Destination Folder, click Change to select an install path (optional).
- For password sync target configuration:
- Use the Server Name option for most environments.
- If using SSL, install the trusted root certificate using MMC Snap-in.
- Click Install to start the installation.
- After installation completes, click Finish.
A reboot of the domain controller is required for the Interceptor to activate.
Silent Installation (Command Line)
To install silently via command line:
FastPass-PasswordInterceptor.msi /quiet SERVER=tenant-sync-fqdn
- Replace
tenant-sync-fqdnwith the fully qualified domain name of your MyPass Cloud tenant. - After installation, a reboot is required.
For advanced custom connection strings, use the GUI installer.
Registry-Based Filter Configuration
Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Password Interceptor
Create each value as a String Value. All patterns support .NET regex.
Account & Group Sync Filters
| Value | Description |
|---|---|
AccountNamePatternAllow | Only forward users matching this account name pattern |
AccountNamePatternDeny | Block users matching this account name pattern |
GroupNamePatternAllow | Only forward users in matching groups (matches memberOf attribute) |
GroupNamePatternDeny | Block users in matching groups |
Deny filters take precedence over allow filters. If a user matches both, the sync is blocked.
Examples
GroupNamePatternAllow = "CN=myusers,OU=Groups,OU=somewhere,DC=Domain,DC=local"
GroupNamePatternAllow = "CN=myusers," # Match regardless of OU
GroupNamePatternDeny = "_admin" # Block any group containing "_admin"
Custom Event Logging Filters
To enable Windows Event Log messages for filtered-out users, set these String Values to true:
| Registry Value | Logs When... |
|---|---|
EventLogGenerateEventForFailedPassingAccountNamePatternAllow | A user fails the AccountNamePatternAllow check |
EventLogGenerateEventForFailedPassingAccountNamePatternDeny | A user is blocked by AccountNamePatternDeny |
EventLogGenerateEventForFailedPassingGroupNamePatternAllow | A user fails the GroupNamePatternAllow group membership check |
EventLogGenerateEventForFailedPassingGroupNamePatternDeny | A user is blocked by GroupNamePatternDeny |
These logs help audit which password events were suppressed and why.