[midPoint] Trying the AD Password Filters

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Sun Jan 27 18:31:59 CET 2019 

Hello!

Thank you for uploading the installer binary.
The filter and agent provided by this installer are working correctly.

Thanks!
WS

W dniu 26.01.2019 o 11:36, Wojciech Staszewski pisze:
>
> Hi!
>
> Thank you very much for your reply.
> I compiled the packgage using VisualStudio 2017 community + Wix 3.11 +
> Wix extension,
> I changed in the solution properties to compile for 64-bit
> architecture (filter dll was marked as 32bit).
>
> Compilation went fine with no error nor warning.
>
> Installation on the server succeeded, I checked registry entries and
> the file locations for the agent and filter, all fine,
> but the filter dll cannot be load:
>
> The password notification DLL C:\Windows\System32\ADPasswordFilter.dll
> failed to load with error 126. Please verify that the notification DLL
> path defined in the registry,
> HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages,
> refers to a correct and absolute path
> (<drive>:\<path>\<filename>.<ext>) and not a relative or invalid path.
> If the DLL path is correct, please validate that any supporting files
> are located in the same directory, and that the system account has
> read access to both the DLL path and any supporting files.  Contact
> the provider of the notification DLL for additional support. Further
> details can be found on the web at
> http://go.microsoft.com/fwlink/?LinkId=245898.
>
> I tried to add into the "Notification Packages" registry key values:
>
> ADPasswordFilter
> and with the full path:
> C:\Windows\System32\ADPasswordFilter.dll
>
> But it changes nothing.
> What are other requirements to make it work? C++ runtime? .Net in
> specified version?
> I have installed Microsoft Visual C++ 2017 Redistributable and .Net
> 4.5 and 3.5 but it still doesn't work.
>
> Thanks!
> WS
>
> W dniu 25.01.2019 o 20:02, Ezequiel Alonso pisze:
>> Sorry,
>>
>> I forgot to mention a manual installation step. With regedit you must
>> add "ADPasswordFilter" in "Notification Packages" in
>> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa".
>>
>> I take the opportunity to say that we have in our roadmap the idea of
>> encrypting the passwords and also adding a queue of password for
>> storing password changes when there is no connectivity.
>>
>> Thank you guys!
>>
>> El vie., 25 de ene. de 2019 a la(s) 15:29, Ezequiel Alonso
>> (ealonso at identicum.com <mailto:ealonso at identicum.com>) escribió:
>>
>>     Hi,
>>
>>     Thank you for trying our password filter version!
>>
>>     We wrote our own version because the one contributed in 2014 was
>>     outdated and
>>     didn't meet our requirements.
>>
>>     This version is more modular. The DLL will pass the user and
>>     password as parameters to the agent placed in the path specified
>>     in the registry in the "Agent" entry in
>>     "HKLM\SOFTWARE\ADPasswordFilter"
>>
>>     You can try to compile the client and the dll using Visual Studio
>>     15 with the WiX Toolset plugin for building the installer.
>>
>>     For manually installing the filter you must follow the next steps:
>>
>>       * Copy the DLL to "C:\Windows\System32\ADPasswordFilter.dll"
>>       * Copy the Agent to "C:\Program
>>         Files\ADPasswordFilter\ADPasswordAgent.exe"
>>       * Create the file "C:\Program
>>         Files\ADPasswordFilter\ADPasswordAgent.exe.config" containing:
>>           o <?xml version="1.0" encoding="utf-8"?>
>>             <configuration>
>>               <appSettings>
>>                 <add key="BASEURL"
>>             value="http://your-midpoint-instance:8080/midpoint"/>
>>                 <add key="AUTHUSR" value="administrator"/>
>>                 <add key="AUTHPWD" value="5ecr3t"/>
>>               </appSettings>
>>             <startup><supportedRuntime version="v4.0"
>>             sku=".NETFramework,Version=v4.5"/></startup></configuration>
>>
>>       * Run the following command as admin in the command prompt:
>>           o reg add "HKLM\SOFTWARE\ADPasswordFilter" /v "Agent" /d
>>             "C:\Program Files\ADPasswordFilter\ADPasswordAgent.exe"
>>       * Reset the domain controller
>>
>>
>>     I also commited the installer to the github repository recently.
>>
>>     Let me know if you have any issues with the password filter.
>>
>>     Thank you!
>>
>>     El vie., 25 de ene. de 2019 a la(s) 13:58, Jason Everling
>>     (jeverling at bshp.edu <mailto:jeverling at bshp.edu>) escribió:
>>
>>         although we don't use password sync since our users have to
>>         change their passwords through our password app which syncs
>>         it every where else, I tested the one from Identicum. The one
>>         donated to Evolveum is very outdated, like 5+ years
>>
>>         JASON
>>
>>
>>         On Fri, Jan 25, 2019 at 10:47 AM Wojciech Staszewski
>>         <wojciech.staszewski at diagnostyka.pl
>>         <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
>>
>>             Hi All!
>>
>>             There are 2 independend midPoint password-agents for AD.
>>
>>             First made by Radovan from Evolveum:
>>             https://github.com/Evolveum/midpoint-password-agent-ad
>>
>>             Second made by Identicum:
>>             https://github.com/Identicum/midPointADPasswordAgent
>>
>>             I want to play with them, but unfortunately I cannot
>>             compile the installers. Exe and dll files are compiled ok.
>>             But I don't know how to install it manually (win2012 x86_64)
>>
>>             I put MidPointPasswordFilter.dll into c:\windows\system32
>>             dir,
>>             then installed Microsoft Visual C++ 2010 x64 Redistributable,
>>             and modified registry
>>             HKLM->SYSTEM->CurrentControlSet->Control->Lsa->Notification
>>             Packages,
>>
>>             but the Dll cannot be load:
>>             "The password notification DLL MidPointPasswordFilter
>>             failed to load with error 126." <- most likely missing
>>             some dependencies.
>>
>>             Does any of you have any experience with these agents?
>>             Maybe you have the installers compiled (for x86_64) and
>>             can share them?
>>
>>             Thanks
>>             WS
>>             -- 
>>             Wojciech Staszewski
>>             Administrator Systemów Sieciowych
>>             www.diagnostyka.pl <http://www.diagnostyka.pl>
>>             Diagnostyka Sp. z o. o.
>>             ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>>             Numer KRS: 0000381559 (Sąd Rejonowy dla
>>             Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>>             NIP: 675-12-65-009; REGON: 356366975
>>             Kapitał zakładowy: 33 756 500 zł.
>>
>>             Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>     -- 
>>     *Ezequiel Alonso*
>>     Identicum S.A.
>>     Jorge Newbery 3226, Buenos Aires, Argentina
>>     <https://maps.google.com/?q=Jorge+Newbery+3226>
>>     Tel: +54 (11) 4552-3050
>>     www.identicum.com <https://www.identicum.com/>
>>
>>
>>
>> -- 
>> *Ezequiel Alonso*
>> Identicum S.A.
>> Jorge Newbery 3226, Buenos Aires, Argentina
>> <https://maps.google.com/?q=Jorge+Newbery+3226>
>> Tel: +54 (11) 4552-3050
>> www.identicum.com <https://www.identicum.com/>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> -- 
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236
> www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190127/c9da29e2/attachment.htm>

More information about the midPoint mailing list