Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
543 views

Active Directory password filter and Azure Password Protection

Jump to solution

A customer is analizing to implement "Azure AD password protection" component on his AD on-premise.
That Microsoft component use a password filter agent installed on the all Domain Controllers and as far as I know it alter the behaviour of the IDM password filter. The azure password filter causes the IDM password filter does not works.


Someone have any experience about this Microsoft component or how to make a workaround to this issue?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

All of what @Marcus Tornberg says is correct.

We have had customers with multiple password filters installed (including the IDM one).

Well written password filters should have no problems co-existing.

From MS doc.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq#general-questions

"Is it supported to install Azure AD Password Protection side by side with other password-filter-based products?

Yes. Support for multiple registered password filter dlls is a core Windows feature and not specific to Azure AD Password Protection. All registered password filter dlls must agree before a password is accepted."

Also note that there are some known issues with password filter (fixed in latest IDM AD driver download) related to enhanced security that can be turned on in recent Windows Server releases. 

https://www.netiq.com/documentation/identity-manager-47-drivers/ActiveDirectoryDriver4121_readme/data/ActiveDirectoryDriver4121_readme.html

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

View solution in original post

6 Replies
Highlighted
Knowledge Partner
Knowledge Partner

I have no experience with this Azure Password Protection component.
We have a big chance, that this component can't coexist with any other password agents.

You can take a look "Beginner’s guide to Azure AD Password Protection" from ManageEngine
https://download.manageengine.com/products/self-service-password/azure-ad-password-protection.pdf

They provide a detailed comparison between ADSelfService Plus’ Password Policy Enforcer (own product) and Azure AD Password Protection

(at least some information better than nothing)

Highlighted
Knowledge Partner
Knowledge Partner

I remember many years ago when Lotus Notes had a password agent that it could not co-exist.

This sounds like a problem and could best be clarified by a SR and later a clarification in documentation etc.

Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi!

As I recall, you can have multiple types of filters on domain controllers. I would review this TID:

https://support.microfocus.com/kb/doc.php?id=3614450

Specifically the registry key HKLM/SYSTEM/CurrentControlSet/Control/Lsa witch is the one that "activates" the filter as I recall it. However it has been a while since I looked at a similar issue.

Quote from TID:

This is done by the fact that pwfilter is running and is a notification package in HKLM/SYSTEM/CurrentControlSet/Control/Lsa

Best regards

Marcus

Highlighted
Knowledge Partner
Knowledge Partner

All of what @Marcus Tornberg says is correct.

We have had customers with multiple password filters installed (including the IDM one).

Well written password filters should have no problems co-existing.

From MS doc.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq#general-questions

"Is it supported to install Azure AD Password Protection side by side with other password-filter-based products?

Yes. Support for multiple registered password filter dlls is a core Windows feature and not specific to Azure AD Password Protection. All registered password filter dlls must agree before a password is accepted."

Also note that there are some known issues with password filter (fixed in latest IDM AD driver download) related to enhanced security that can be turned on in recent Windows Server releases. 

https://www.netiq.com/documentation/identity-manager-47-drivers/ActiveDirectoryDriver4121_readme/data/ActiveDirectoryDriver4121_readme.html

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

View solution in original post

Highlighted
Knowledge Partner
Knowledge Partner

Great news!

Highlighted
Knowledge Partner
Knowledge Partner

You can modify the order in which the filters fire in that Registry key.  Try moving the NetIQ filter to be first or last to see if it mkes a difference.  Alas, the Control Panel tool may not be helpful for that.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.