Symantec IGA

 View Only
  • 1.  Active Directory password questions

    Broadcom Employee
    Posted Jul 23, 2015 07:48 AM

    Hello Community

     

    Is there a way to implement Password history on Active Directory endpoint

    Customer wants that a task for changing users password takes password history into consideration, and if password does not meet history to finish the task as failed with error stating that password history was not met. Password sync agent is installed on all domain controllers in environment, and password propagation works in both direction.

     

    Also AD password is also IAM password for the user, and if AD password is expired on AD endpoint, user can not log in on domain computer,but he can still login in IAM system, which is not ok, user should not be able to log in IAM with expired AD password.

     

    Customer has PIM 12.6 SP2, and Windows 2008R2

     

    Any help is appreciated

    Thanks



  • 2.  Re: Active Directory password questions

    Posted Aug 19, 2015 12:07 PM

    It's not clear if you are trying to implement something with the CA PIM product or the CA IM product.

     

    I assume the AD is a managed endpoint system under the IM Provisioning/Connector Server and not the IM Userstore. The AD system cannot be both. If you need IM authentication to be done against something other than the IM Userstore you would need to look at having IM integrated with Siteminder and/or look at implementing a custom authentication filter or ask your CA Account Team if there is such an authentication filter that you can purchase.

     

    Depending on what you are trying to do one thought might be to look at what Microsoft APIs exist that can allow you to implement a password checking routine which could then be executed during the IM Change Password task to test against the AD system. I saw reference to NetValidatePasswordReset in the link http://blogs.msdn.com/b/david_leblanc/archive/2007/10/11/checking-password-complexity.aspx

     

    - KennyV



  • 3.  Re: Active Directory password questions

    Broadcom Employee
    Posted Aug 20, 2015 12:41 AM

    Hi

     

    here is a nice example of using CAIM APIs to check password health

     

    i didn't test the code but it should work for you

     

    This example is on the filed validation part

    function validate (FieldContext, attributeValue, changedValue, errorMessage)
    {     
         importClass(Packages.com.netegrity.llsdk6.imsapi.utility.PasswordCondition);
         
         try
         {
              var userName = FieldContext.getFieldValue("Sales Number"); // in this example, this is also the AD account name field
              var password = new String(attributeValue);
              var provider = FieldContext.getUserProvider();
              var user = provider.findUser(userName, null);
              var endpointAccounts = user.getAccounts();
              
              for (var x = 0; x < endpointAccounts.size(); x++)
              {                    
                   var currentEndpoint = endpointAccounts.get(x); // Get accounts correlated to the user
                   var accountType = currentEndpoint.getType().getFriendlyName();
                   
                   if (accountType.equals("ActiveDirectory"))
                   {
                        var passwordCondition = new PasswordCondition();
                        var isAcceptable = currentEndpoint.validateNewPassword(password, passwordCondition); // check the password against the endpoint
                        
                        if(isAcceptable)
                        {
                             errorMessage.reference='Valid Password';
                             return true;
                        }
                        else
                        {
                             errorMessage.reference='Password may not be reused. Please enter a new password.';
                             return false;
                        }
                   }
              }
         }
         catch(err)
         {
              FieldContext.setFieldValue("|debug|","An unexpected error has occurred; please contact  Support. Code:  Password Services");
         }
    }
    


  • 4.  Re: Active Directory password questions

    Posted Sep 01, 2015 06:43 PM

    Hi,

     

    I've attempted to utilize the provided codes functionality upon the password changing and password resetting admin tasks within IM but have found that the code wasn't actually verifying passwords against the Active Directory's password history; i'm unsure of exactly what is happening on the backend but from what I could gather it seemed as if it were still only checking against the password policies defined in IM. 

     

    Has anyone been able to utilize this CAIM API as desired?

     

    Could it be this requires use of a Password Profile configuration on the Provisioning Manager?

     

    ~Anthony P



  • 5.  Re: Active Directory password questions

    Broadcom Employee
    Posted Sep 03, 2015 02:38 PM

    Yes this will not work as the CAIM will always change the password using delegation model which, in AD, bypass the password history requierments

     

    the code above will check the password against the CAIM password policy

     

    thanks

     

    Itamar



  • 6.  Re: Active Directory password questions

    Broadcom Employee
    Posted Sep 03, 2015 02:43 PM

    Found this KB @ MS that might helps

     

    https://support.microsoft.com/en-us/kb/2386717