Question:
I'd like to know :
- How are user passwords stored in Active Directory ?
- How admin passwords are stored in my Active Directory ?
Answer:
Actually, CA Single Sign-On doesn't store the passwords directly but
the Active Directory itself. So when you are using Password Services,
and requesting user to change their password, CA Single Sign-On will
do a LDAP bind with the user credentials and will request to modify
the password to the Active Directory, using the attributes you have
mapped when defining the User Directory. Then the Active Directory
decides how to store the password.
For more information you can check the following:
How to Configure Password Policies
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies
SSO - Basic Password service integration with Active Directory
https://communities.ca.com/thread/241790640-sso-basic-password-service-integration-with-active-directory
Tech Tip - CA Single Sign-On:Policy Server: Read Password Blob Utility
https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/02/29/tech-tip-ca-single-sign-onpolicy-server-read-password-blob-utility
and about encryption
Manage Encryption Keys
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys
Using FIPS-Compliant Algorithms
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/upgrading/using-fips-compliant-algorithms
FIPS 140-2 Algorithms
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/fips-140-2-algorithms
KB : KB000096310