[midPoint] Trying the AD Password Filters

Sat Jan 26 11:36:49 CET 2019

Hi!

Thank you very much for your reply.
I compiled the packgage using VisualStudio 2017 community + Wix 3.11 +
Wix extension,
I changed in the solution properties to compile for 64-bit architecture
(filter dll was marked as 32bit).

Compilation went fine with no error nor warning.

Installation on the server succeeded, I checked registry entries and the
file locations for the agent and filter, all fine,
but the filter dll cannot be load:

The password notification DLL C:\Windows\System32\ADPasswordFilter.dll
failed to load with error 126. Please verify that the notification DLL
path defined in the registry,
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages, refers
to a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and
not a relative or invalid path. If the DLL path is correct, please
validate that any supporting files are located in the same directory,
and that the system account has read access to both the DLL path and any
supporting files.  Contact the provider of the notification DLL for
additional support. Further details can be found on the web at
http://go.microsoft.com/fwlink/?LinkId=245898.

I tried to add into the "Notification Packages" registry key values:

ADPasswordFilter
and with the full path:
C:\Windows\System32\ADPasswordFilter.dll

But it changes nothing.
What are other requirements to make it work? C++ runtime? .Net in
specified version?
I have installed Microsoft Visual C++ 2017 Redistributable and .Net 4.5
and 3.5 but it still doesn't work.

Thanks!
WS

W dniu 25.01.2019 o 20:02, Ezequiel Alonso pisze:
> Sorry,
>
> I forgot to mention a manual installation step. With regedit you must
> add "ADPasswordFilter" in "Notification Packages" in
> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa".
>
> I take the opportunity to say that we have in our roadmap the idea of
> encrypting the passwords and also adding a queue of password for
> storing password changes when there is no connectivity.
>
> Thank you guys!
>
> El vie., 25 de ene. de 2019 a la(s) 15:29, Ezequiel Alonso
> (ealonso at identicum.com <mailto:ealonso at identicum.com>) escribió:
>
>     Hi,
>
>     Thank you for trying our password filter version!
>
>     We wrote our own version because the one contributed in 2014 was
>     outdated and
>     didn't meet our requirements.
>
>     This version is more modular. The DLL will pass the user and
>     password as parameters to the agent placed in the path specified
>     in the registry in the "Agent" entry in
>     "HKLM\SOFTWARE\ADPasswordFilter"
>
>     You can try to compile the client and the dll using Visual Studio
>     15 with the WiX Toolset plugin for building the installer.
>
>     For manually installing the filter you must follow the next steps:
>
>       * Copy the DLL to "C:\Windows\System32\ADPasswordFilter.dll"
>       * Copy the Agent to "C:\Program
>         Files\ADPasswordFilter\ADPasswordAgent.exe"
>       * Create the file "C:\Program
>         Files\ADPasswordFilter\ADPasswordAgent.exe.config" containing:
>           o <?xml version="1.0" encoding="utf-8"?>
>             <configuration>
>               <appSettings>
>                 <add key="BASEURL"
>             value="http://your-midpoint-instance:8080/midpoint"/>
>                 <add key="AUTHUSR" value="administrator"/>
>                 <add key="AUTHPWD" value="5ecr3t"/>
>               </appSettings>
>             <startup><supportedRuntime version="v4.0"
>             sku=".NETFramework,Version=v4.5"/></startup></configuration>
>
>       * Run the following command as admin in the command prompt:
>           o reg add "HKLM\SOFTWARE\ADPasswordFilter" /v "Agent" /d
>             "C:\Program Files\ADPasswordFilter\ADPasswordAgent.exe"
>       * Reset the domain controller
>
>
>     I also commited the installer to the github repository recently.
>
>     Let me know if you have any issues with the password filter.
>
>     Thank you!
>
>     El vie., 25 de ene. de 2019 a la(s) 13:58, Jason Everling
>     (jeverling at bshp.edu <mailto:jeverling at bshp.edu>) escribió:
>
>         although we don't use password sync since our users have to
>         change their passwords through our password app which syncs it
>         every where else, I tested the one from Identicum. The one
>         donated to Evolveum is very outdated, like 5+ years
>
>         JASON
>
>
>         On Fri, Jan 25, 2019 at 10:47 AM Wojciech Staszewski
>         <wojciech.staszewski at diagnostyka.pl
>         <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
>
>             Hi All!
>
>             There are 2 independend midPoint password-agents for AD.
>
>             First made by Radovan from Evolveum:
>             https://github.com/Evolveum/midpoint-password-agent-ad
>
>             Second made by Identicum:
>             https://github.com/Identicum/midPointADPasswordAgent
>
>             I want to play with them, but unfortunately I cannot
>             compile the installers. Exe and dll files are compiled ok.
>             But I don't know how to install it manually (win2012 x86_64)
>
>             I put MidPointPasswordFilter.dll into c:\windows\system32 dir,
>             then installed Microsoft Visual C++ 2010 x64 Redistributable,
>             and modified registry
>             HKLM->SYSTEM->CurrentControlSet->Control->Lsa->Notification
>             Packages,
>
>             but the Dll cannot be load:
>             "The password notification DLL MidPointPasswordFilter
>             failed to load with error 126." <- most likely missing
>             some dependencies.
>
>             Does any of you have any experience with these agents?
>             Maybe you have the installers compiled (for x86_64) and
>             can share them?
>
>             Thanks
>             WS
>             -- 
>             Wojciech Staszewski
>             Administrator Systemów Sieciowych
>             www.diagnostyka.pl <http://www.diagnostyka.pl>
>             Diagnostyka Sp. z o. o.
>             ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>             Numer KRS: 0000381559 (Sąd Rejonowy dla
>             Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>             NIP: 675-12-65-009; REGON: 356366975
>             Kapitał zakładowy: 33 756 500 zł.
>
>             Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     -- 
>     *Ezequiel Alonso*
>     Identicum S.A.
>     Jorge Newbery 3226, Buenos Aires, Argentina
>     <https://maps.google.com/?q=Jorge+Newbery+3226>
>     Tel: +54 (11) 4552-3050
>     www.identicum.com <https://www.identicum.com/>
>
>
>
> -- 
> *Ezequiel Alonso*
> Identicum S.A.
> Jorge Newbery 3226, Buenos Aires, Argentina
> <https://maps.google.com/?q=Jorge+Newbery+3226>
> Tel: +54 (11) 4552-3050
> www.identicum.com <https://www.identicum.com/>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190126/fe2a1da5/attachment.htm>