jimbjorklund Absent Member.
Absent Member.
443 views

Active Directory and Azure, Password Synchronisation


Hi, does anyone know if the AD-driver will be able to pick up password
changes coming via Azure AD through Password writeback (part of Azure AD
Connect)?
We are considering Self-service password reset in Azure AD.

What I know so far (from the msdn article below) is that that Password
writeback enforces custom password filter in the On-Premises AD. But I
do not know if the custom password filter (dll-file) installed by the
NetIQ Driver for AD is able to pick up the password change.
https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx


--
jimbjorklund
------------------------------------------------------------------------
jimbjorklund's Profile: https://forums.netiq.com/member.php?userid=1292
View this thread: https://forums.netiq.com/showthread.php?t=54309

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Active Directory and Azure, Password Synchronisation

On Thu, 17 Sep 2015 10:44:02 +0000, jimbjorklund wrote:

> Hi, does anyone know if the AD-driver will be able to pick up password
> changes coming via Azure AD through Password writeback (part of Azure AD
> Connect)?


I don't think so, but haven't tried it myself. Ask Microsoft if the
password can be extracted from Azure?


> We are considering Self-service password reset in Azure AD.


Their sales guys have been pushing that. They keep telling us how nice it
would be to have this, so that our users can answer challenge questions
and self reset their own passwords. We're using Pwm here, and have been
for several years, so I don't see the point of it myself.


> What I know so far (from the msdn article below) is that that Password
> writeback enforces custom password filter in the On-Premises AD. But I
> do not know if the custom password filter (dll-file) installed by the
> NetIQ Driver for AD is able to pick up the password change.
> https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx


I suspect the "custom filter" enforces the same restrictive password
rules as the Azure AD stuff [1]. I'm also going to guess that their
"write back" method does the same thing their DirSync password
synchronization does: syncs the hash of the password, not the password
itself. If so, then you won't be able to pick up the clear-text version
via the MicroFocus password filter, so you won't be doing Publisher
channel password sync to the rest of your environment.

But, don't guess, try it out and let us know how it works. Or doesn't.


[1] Microsoft Azure AD Password Policy:

1. Common Requirements
8 characters minimum and 16 characters maximum
Does not contain spaces
Does not contain Unicode characters

2. Standard Strength Requirements
Can contain any of:
A – Z
a – z
0 – 9
@#$%^&*-_+=[]{}|\:‘,.?/`~“();

3. Strong Requirements
Cannot contain a dot character '.' immediately preceding the '@' symbol
Must contain three of:
A – Z
a – z
0 – 9
@#$%^&*-_+=[]{}|\:‘,.?/`~“();


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory and Azure, Password Synchronisation

David Gersic <dgersic@no-mx.forums.microfocus.com> wrote:

> I don't think so, but haven't tried it myself. Ask Microsoft if the
> password can be extracted from Azure?


> Their sales guys have been pushing that. They keep telling us how nice it
> would be to have this, so that our users can answer challenge questions
> and self reset their own passwords. We're using Pwm here, and have been
> for several years, so I don't see the point of it myself.


> I suspect the "custom filter" enforces the same restrictive password
> rules as the Azure AD stuff [1]. I'm also going to guess that their
> "write back" method does the same thing their DirSync password
> synchronization does: syncs the hash of the password, not the password
> itself. If so, then you won't be able to pick up the clear-text version


I just looked this up, it actually does sync the changed password which is
encrypted during transport to on premises AD but decrypted there. It then
performs a change password request against an on premises AD using standard
change password API. So I think that it might be worth testing.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory and Azure, Password Synchronisation

On Thu, 17 Sep 2015 15:58:25 +0000, Alex McHugh wrote:

> David Gersic <dgersic@no-mx.forums.microfocus.com> wrote:
>
>> I don't think so, but haven't tried it myself. Ask Microsoft if the
>> password can be extracted from Azure?

>
>> Their sales guys have been pushing that. They keep telling us how nice
>> it would be to have this, so that our users can answer challenge
>> questions and self reset their own passwords. We're using Pwm here, and
>> have been for several years, so I don't see the point of it myself.

>
>> I suspect the "custom filter" enforces the same restrictive password
>> rules as the Azure AD stuff [1]. I'm also going to guess that their
>> "write back" method does the same thing their DirSync password
>> synchronization does: syncs the hash of the password, not the password
>> itself. If so, then you won't be able to pick up the clear-text version

>
> I just looked this up, it actually does sync the changed password which
> is encrypted during transport to on premises AD but decrypted there. It
> then performs a change password request against an on premises AD using
> standard change password API. So I think that it might be worth testing.


Ooh, in that case, the pwfilter.dll should catch it and sync it out.
That'd be cool, if it works.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory and Azure, Password Synchronisation


Password Sync is a feature of the Azure Active Directory Sync tool that
synchronizes user passwords from your on-premises Active Directory to
Azure Active Directory (“Azure AD”).
It use exactly same technology, that we use.
> The Active Directory Domain Service stores passwords in form of a hash
> value representation of the actual user password. The Password hash
> cannot be used to login to your on-premises network. It is also designed
> so that it cannot be reversed in order to gain access to the user’s
> plaintext password. To synchronize a password, the Directory Sync tool
> extracts the user password hash from the on-premises Active Directory.
> Additional security processing is applied to the password hash before it
> is synchronized to the Azure Active Directory Authentication service.
> The actual data flow of the password synchronization process is similar
> to the synchronization of user data such as DisplayName or Email
> Addresses.


MS also provide *Password writeback*: Azure AD to manage on-premises
passwords.
Password writeback is an Azure Active Directory Sync component that can
be enabled and used by the current subscribers of Azure Active Directory
Premium

Like usual, this is just marketing name for super-simple task:
User change password in Azure AD via Azure SSPR. This Cloud SSPR capture
clear text password and pass it back to on-premise AD.
339


+----------------------------------------------------------------------+
|Filename: IC775466.jpg |
|Download: https://forums.netiq.com/attachment.php?attachmentid=339 |
+----------------------------------------------------------------------+

--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54309

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.