Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 2007

Password Synchronization

Microsoft solutions for secure access
From the August 2007 Edition
of Windows IT Pro
Jan De Clercq
Feature
InstantDoc #96220
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

ILM and IIFP connectivity to other repositories is based on the existence of a set of connectors or Management Agents (MAs)—as Microsoft refers to them—that are installed on the ILM or IIFP server. ILM and IIFP password synchronization doesn't require the installation of special agents on the target systems. This means that users or administrators must always interact directly with ILM or IIFP when setting or changing passwords. Two notable exceptions to this rule that don't require any explicit interaction between a user and ILM for setting passwords are when the Password Change Notification Service (PCNS) is used and when ILM creates a new user account. In the first case users can directly interact with a Windows DC for setting or changing their passwords. (I explain PCNS in more detail later in the article.) In the latter case ILM initializes a user's password to a predefined value when the associated user account is created as part of ILM's user account provisioning process.

Password set and change operations are supported by the AD, ADAM, and NT 4.0 MAs. The Lotus Notes, Sun ONE Directory Server, and eDirectory MAs support only password set operations. ILM and IIFP can also be extended to provide password synchronization services to other repositories through the creation of custom password extensions. If you don't mind coding and getting your hands dirty, the Developer Reference that comes with ILM and IIFP describes in detail how to create these password extensions.

As I explained previously, passwords can only be synchronized when they're available in plaintext (i.e., when a password set, reset, or change operation occurs). ILM and IIFP support the following interfaces for intercepting password sets or changes and initiating a password synchronization operation to a set of connected repositories: the Helpdesk Password Reset and the Self-Service Password Reset Web applications, and the Change Password option in the Windows Ctrl+Alt+Del dialog box.

When using the Helpdesk Password Reset or the Self-Service Password Reset Web applications, users or administrators interact directly with the ILM or IIFP server through a Web interface. Both Web applications are free add-ons to ILM and IIFP that are included in the MIIS 2003 scenarios. You can download these scenarios, including the necessary code and deployment instructions, from http://www.microsoft.com/downloads/details.aspx?familyid=15032653-d78e-4d9d-9e486cf0ae0c369c&displaylang=en. Microsoft's "User-Based, Self-Service Password Change Solution Guide for MIIS 2003" (http://www.microsoft.com/downloads/details.aspx?familyid=7e90b216-6cfd-4ccd-bdb9-2cc6be00 4bc4&displaylang=en) describes the Self-Service Password Reset Web application.

When using the Change Password option in the Ctrl+Alt+Del dialog box, users interact with ILM or IIFP indirectly through their authenticating Windows DC. This password change mechanism requires the installation of the PCNS on all DCs in the domain where user password changes must be intercepted. The PCNS logic is included in ILM and IIFP1a. The PCNS can be installed on Windows 2000 and Windows Server 2003 DCs.

The PCNS is a Windows service that monitors AD password changes and notifies other servers (e.g., ILM servers) of these password changes. The PCNS consists of three pieces of software: a password filter DLL, the PCNS, and the PCNS configuration utility. The password filter DLL obtains a clear-text copy of the changed password from a DC's Local Security Authority (LSA—lsass.exe). The PCNS receives the password-change notifications from the password filter, queues them, and sends them to the target systems. The PCNS configuration utility is used to set the PCNS configuration data. This information is stored in AD and includes the PCNS notification targets.

ILM and IIFP can support only one-directional or "password push"–based password synchronization in mixed environments (i.e., Windows and non-Windows). Neither ILM nor IIFP can replicate password sets or changes originating on the non-Windows side of the synchronization channel to the Windows side.

Using SFU or Windows 2003 R2
Microsoft's Services for UNIX (SFU) 3.5 is a software package that Microsoft provides to Win2K and Windows 2003 customers at no additional cost and that includes tools and services for integrating Windows and UNIX/ Linux platforms. SFU also includes a password synchronization service. Windows 2003 R2 includes part of the SFU services, including the password synchronization service. For more information about SFU and its services, go to Microsoft's Windows Services for UNIX Web site (http://www.microsoft.com/technet/ interopmigration/unix/sfu/default.mspx).

The SFU 3.5 and Windows 2003 R2 password synchronization service can synchronize passwords between Windows 2003 R2, Windows 2003, Windows XP, Win2K Server, Win2K Pro, NT Server 4.0, and NT Workstation platforms on the Windows side, and HP-UX 11, Red Hat Linux 7.0, Solaris 7, and AIX 4.3.3 platforms on the UNIX side. The service can synchronize passwords between domains and standalone machines on the Windows side, and between Network Information Service (NIS) databases and standalone machines on the UNIX/Linux-side.

You can set SFU and Windows 2003 R2 password synchronization to work in both directions (i.e., from Windows to UNIX or from UNIX to Windows) for all the UNIX platforms I mentioned, with the exception of AIX. The SFU and Windows 2003 R2 password synchronization service triggers a password synchronization action each time a user updates his or her password on a Windows machine (for Windows-to-UNIX synchronization) or on a UNIX/Linux host (for UNIX-to-Windows synchronization).

To support this bidirectional password synchronization, SFU and Windows 2003 R2 password synchronization require the deployment of special password synchronization software. If passwords are to be synchronized between a Windows domain and UNIX/Linux environment, the SFU and Windows 2003 R2 password synchronization service must be installed on all Windows DCs. This requirement is necessary because password updates can occur on any server in a multi-master model. The password synchronization service must also be installed on a Windows standalone machine if passwords are to be synchronized between the standalone machine and UNIX/Linux. Windows-to-UNIX/Linux password synchronization requires the ssod daemon on the UNIX/Linux platform. UNIX/ Linux-to-Windows password synchronization requires the pam_sso module on the UNIX/ Linux side.

   Previous  1  [2]  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path ILM and IIFP Resources
"Does Your Network See Dead People?"

"ENTSSO Password Synchronization"

"Extending MIIS 2003 Functionality"

"Getting to Know ADAM"

"Identity Lifecycle Manager 2007"

"Secure Directory Access with MIIS"


SFU and Windows Server 2003 R2 Resources
"Microsoft Windows NT Services for UNIX"

"New Features in Windows Server 2003 R2"

"R2 Moves Windows 2003 Forward"

"Services for UNIX 3.5"

"Services for UNIX 3.5’s Flair for Interoperability"

"What You Probably Don’t Know About Windows Server 2003 R2 (Part 1)"


Host Integration Server 2006 Resources
"Host Integration Server Community"

"Microsoft Host Integration Server Web site"


Services for NetWare Resources
"Microsoft Windows Services for NetWare 5.03 Web site"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

IE 8.0 and Chrome Could Enable Next-Gen Web Apps—Unless Your ISP's Bandwidth Cap Gets in the Way

Both browsers are being positioned as the core system application that will enable the next generation of web apps--however, ISP usage caps could throw a major monkey wrench at web-based application delivery. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Related Articles Specops Password Policy

Emailing Users Before Their Passwords Expire
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing