Symantec IGA

  • Private Community
 View Only

  • 1.  Password Sync Agent

    Posted Jun 06, 2012 03:30 PM
    I have a question around the behavior that user will experience in this scenario

    Identity Manager 12.5
    Active Directory 2008

    1) Password requirements for a set of users exceed AD's ability to enforce. 4 of the 4 characters required. AD only enforces 3 of 4, we need to make sure all 4 are set on reset.
    2) IdM will have password policies for 4 of 4.
    3) When users reset their passwords from the desktop it will got AD first. A password agent will be on the comina controllers.

    Question - What happens when a user sets the password with 3 of the 4, AD will accept it, but when the agent sends it into IdM it will not meet the IdM policy. What does the user see and how does it handle AD originated password resets that do not meet Identity Manager password policy? What error does the user see?


  • 2.  RE: Password Sync Agent
    Best Answer

    Posted Jun 06, 2012 08:32 PM
    Hello there!

    The short answer is that the user should see the standard "Password does not meet complexity requirements" message box that is displayed when AD denies a weak password.

    The long answer is that the Password Sync Agent leverages a Microsoft API called Password Filter. When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. Using this model the Password Sync Agent actually verifies the password during the first call from the LSA against the IM Passsword Policies. If validation fails, the user is notified and the password is not set.

    The following illustration shows this process.


    In the event you'd like additional information, there is a good set of documentation by Microsoft for the Password Filter API located here.


  • 3.  RE: Password Sync Agent

    Posted Jun 07, 2012 02:17 PM
    Great thank.


    Follow up question - In the password composition rules, how do you block the password from containing the username?


  • 4.  RE: Password Sync Agent

    Posted Jun 07, 2012 02:44 PM
    Used to be the the 'Profile Attributes match length'. The caveat being that it ensures that the password does not match X number of consecutive characters from ANY profile attribute, not just the userid.

    Now, that being said - I no longer see that option under IdentityManager password policy creation screen, but if you have the siteminder integration, you may be able to go into the policy server and update the password policy there... would need to test it out to be sure though.


  • 5.  RE: Password Sync Agent

    Posted Jun 07, 2012 03:01 PM
    Andrew is correct. This does require SiteMinder integration and is an effective means for meeting that requirement.

    If you feel that your issue is resolved, please click the "Mark as Accepted Solution" link so that this thread will be properly closed and indexed.

    Thanks!