[midPoint] Trying the AD Password Filters

Jason Everling jeverling at bshp.edu
Sun Jan 27 21:23:23 CET 2019


There is also this other good little password filter, can be used to write
the password for the user just about anywhere, works great, have tested
send to sql, opendj, openldap,etc.. just write your script and configure
passwdhk to run it.

https://sourceforge.net/projects/passwdhk/files/passwdhk/




On Sun, Jan 27, 2019 at 11:32 AM Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Hello!
>
> Thank you for uploading the installer binary.
> The filter and agent provided by this installer are working correctly.
>
> Thanks!
> WS
> W dniu 26.01.2019 o 11:36, Wojciech Staszewski pisze:
>
> Hi!
>
> Thank you very much for your reply.
> I compiled the packgage using VisualStudio 2017 community + Wix 3.11 + Wix
> extension,
> I changed in the solution properties to compile for 64-bit architecture
> (filter dll was marked as 32bit).
>
> Compilation went fine with no error nor warning.
>
> Installation on the server succeeded, I checked registry entries and the
> file locations for the agent and filter, all fine,
> but the filter dll cannot be load:
>
> The password notification DLL C:\Windows\System32\ADPasswordFilter.dll
> failed to load with error 126. Please verify that the notification DLL path
> defined in the registry,
> HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages, refers to
> a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and not a
> relative or invalid path. If the DLL path is correct, please validate that
> any supporting files are located in the same directory, and that the system
> account has read access to both the DLL path and any supporting files.
> Contact the provider of the notification DLL for additional support.
> Further details can be found on the web at
> http://go.microsoft.com/fwlink/?LinkId=245898.
>
> I tried to add into the "Notification Packages" registry key values:
>
> ADPasswordFilter
> and with the full path:
> C:\Windows\System32\ADPasswordFilter.dll
>
> But it changes nothing.
> What are other requirements to make it work? C++ runtime? .Net in
> specified version?
> I have installed Microsoft Visual C++ 2017 Redistributable and .Net 4.5
> and 3.5 but it still doesn't work.
>
> Thanks!
> WS
> W dniu 25.01.2019 o 20:02, Ezequiel Alonso pisze:
>
> Sorry,
>
> I forgot to mention a manual installation step. With regedit you must add
> "ADPasswordFilter" in "Notification Packages" in
> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa".
>
> I take the opportunity to say that we have in our roadmap the idea of
> encrypting the passwords and also adding a queue of password for storing
> password changes when there is no connectivity.
>
> Thank you guys!
>
> El vie., 25 de ene. de 2019 a la(s) 15:29, Ezequiel Alonso (
> ealonso at identicum.com) escribió:
>
>> Hi,
>>
>> Thank you for trying our password filter version!
>>
>> We wrote our own version because the one contributed in 2014 was outdated
>> and
>> didn't meet our requirements.
>>
>> This version is more modular. The DLL will pass the user and password as
>> parameters to the agent placed in the path specified in the registry in the
>> "Agent" entry in "HKLM\SOFTWARE\ADPasswordFilter"
>>
>> You can try to compile the client and the dll using Visual Studio 15 with
>> the WiX Toolset plugin for building the installer.
>>
>> For manually installing the filter you must follow the next steps:
>>
>>    - Copy the DLL to "C:\Windows\System32\ADPasswordFilter.dll"
>>    - Copy the Agent to "C:\Program
>>    Files\ADPasswordFilter\ADPasswordAgent.exe"
>>    - Create the file "C:\Program
>>    Files\ADPasswordFilter\ADPasswordAgent.exe.config" containing:
>>       - <?xml version="1.0" encoding="utf-8"?>
>>       <configuration>
>>         <appSettings>
>>           <add key="BASEURL" value="
>>       http://your-midpoint-instance:8080/midpoint"/>
>>           <add key="AUTHUSR" value="administrator"/>
>>           <add key="AUTHPWD" value="5ecr3t"/>
>>         </appSettings>
>>       <startup><supportedRuntime version="v4.0"
>>       sku=".NETFramework,Version=v4.5"/></startup></configuration>
>>
>>
>>    - Run the following command as admin in the command prompt:
>>       - reg add "HKLM\SOFTWARE\ADPasswordFilter" /v "Agent" /d
>>       "C:\Program Files\ADPasswordFilter\ADPasswordAgent.exe"
>>    - Reset the domain controller
>>
>>
>> I also commited the installer to the github repository recently.
>>
>> Let me know if you have any issues with the password filter.
>>
>> Thank you!
>>
>> El vie., 25 de ene. de 2019 a la(s) 13:58, Jason Everling (
>> jeverling at bshp.edu) escribió:
>>
>>> although we don't use password sync since our users have to change their
>>> passwords through our password app which syncs it every where else, I
>>> tested the one from Identicum. The one donated to Evolveum is very
>>> outdated, like 5+ years
>>>
>>> JASON
>>>
>>>
>>> On Fri, Jan 25, 2019 at 10:47 AM Wojciech Staszewski <
>>> wojciech.staszewski at diagnostyka.pl> wrote:
>>>
>>>> Hi All!
>>>>
>>>> There are 2 independend midPoint password-agents for AD.
>>>>
>>>> First made by Radovan from Evolveum:
>>>> https://github.com/Evolveum/midpoint-password-agent-ad
>>>>
>>>> Second made by Identicum:
>>>> https://github.com/Identicum/midPointADPasswordAgent
>>>>
>>>> I want to play with them, but unfortunately I cannot compile the
>>>> installers. Exe and dll files are compiled ok.
>>>> But I don't know how to install it manually (win2012 x86_64)
>>>>
>>>> I put MidPointPasswordFilter.dll into c:\windows\system32 dir,
>>>> then installed Microsoft Visual C++ 2010 x64 Redistributable,
>>>> and modified registry
>>>> HKLM->SYSTEM->CurrentControlSet->Control->Lsa->Notification Packages,
>>>>
>>>> but the Dll cannot be load:
>>>> "The password notification DLL MidPointPasswordFilter failed to load
>>>> with error 126." <- most likely missing some dependencies.
>>>>
>>>> Does any of you have any experience with these agents?
>>>> Maybe you have the installers compiled (for x86_64) and can share them?
>>>>
>>>> Thanks
>>>> WS
>>>> --
>>>> Wojciech Staszewski
>>>> Administrator Systemów Sieciowych
>>>> www.diagnostyka.pl
>>>> Diagnostyka Sp. z o. o.
>>>> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>>>> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
>>>> XI Wydział Gospodarczy KRS)
>>>> NIP: 675-12-65-009; REGON: 356366975
>>>> Kapitał zakładowy: 33 756 500 zł.
>>>>
>>>> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>>
>> --
>> *Ezequiel Alonso*
>> Identicum S.A.
>> Jorge Newbery 3226, Buenos Aires, Argentina
>> <https://maps.google.com/?q=Jorge+Newbery+3226>
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>
>
> --
> *Ezequiel Alonso*
> Identicum S.A.
> Jorge Newbery 3226, Buenos Aires, Argentina
> <https://maps.google.com/?q=Jorge+Newbery+3226>
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowychwww.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190127/2a609f92/attachment.htm>


More information about the midPoint mailing list