Managing passwords for multiple user accounts is one of the complexities of managing an enterprise environment with multiple data sources. Microsoft® Forefront Identity Manager (FIM) 2010 provides two password management solutions:
- Password synchronization – Utilizes
the password change notification service (PCNS) to capture password
changes from Active Directory and propagate them to other connected
- User-based password change management
– Utilizes the Windows Management Instrumentation (WMI) through
Web-based Help Desk and self-service password reset
By using password synchronization and user-based password change management, you can:
- Reduce the number of different passwords
users have to remember.
- Simultaneously set or change passwords in a
user's multiple accounts to the same password.
- Allow users to change their own passwords in
Active Directory and push the password change out to other
- Eliminate the risk of building an additional
password or credential store.
- Synchronize passwords across multiple data
sources by using Active Directory as the authoritative
- Perform password management operations in
real time, independent of FIM operations.
Management agents for directory servers support password change and set operations by default. For file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default, you can create a .NET password extension dynamic-link library (DLL). The .NET password extension DLL is called whenever a password change or set call is invoked for any of these management agents. Password extension settings are configured for these management agents in Synchronization Service Manager. For more information about configuring password extensions, see the FIM Developer Reference.
|Password management is supported by default in the management agents for:||By using a password extension, password management is also supported in the management agents for:|
Password synchronization works with the password change notification service (PCNS) on an Active Directory domain, and allows password changes that originate from Active Directory to be automatically propagated to other connected data sources. FIM accomplishes this by running as a Remote Procedure Call (RPC) server that listens for a password change notification from an Active Directory domain controller. When the password change request is received and authenticated, it is processed by FIM and propagated to the appropriate management agents.
Bi-directional password synchronization is not supported by FIM. Configuring bi-directional password synchronization can create a loop, which will consume server resources and have a potentially negative effect on both Active Directory and FIM.
The PCNS runs on each Active Directory domain controller. The systems that receive the password notifications are known as targets. Your FIM must be configured as a PCNS target in Active Directory before password notifications are sent. The PCNS configuration must define an inclusion group and, optionally, an exclusion group. These groups are used to restrict the flow of sensitive passwords from the domain. For example, to send passwords for all users, but not send administrative passwords, you might choose to use Domain Users as the inclusion group, and Domain Admins as the exclusion group. For more information about configuring the password change notification service, see Using Password Synchronization.
The components involved in the password synchronization process are:
- Password change notification service
(Pcnssvc.exe)–The password change notification service runs on
a domain controller and is responsible for receiving password
change notifications from the local password filter, queuing them
for the target server running FIM, and using RPC to deliver the
notifications. The service encrypts the password and ensures that
the password remains secure until it is successfully delivered to
the target server running FIM.
- Service principal name (SPN) – The SPN
is a property on the account object in Active Directory that is
used by the Kerberos protocol to mutually authenticate the PCNS and
the target. The SPN ensures that the PCNS authenticates to the
correct server running FIM, and that no other service can receive
the password change notifications. The SPN is created and assigned
by using the setspn.exe tool. For more information about
configuring the SPN, see Using Password
- Password change notification filter
(Pcnsflt.dll) – The password filter is used to obtain plaintext
passwords from Active Directory. This filter is loaded by the Local
Security Authority (LSA) on each Windows Server domain
controller participating in password distribution to a target
server running FIM. Once the filter has been installed and the
domain controller has been restarted, the filter begins to receive
password change notifications for password changes that originate
on that domain controller. The password notification filter runs
simultaneously with other filters that are running on the domain
- Password change notification service
configuration utility (Pcnscfg.exe) – The pcnscfg.exe utility
is used to manage and maintain the password change notification
service configuration parameters stored within Active Directory.
These configuration parameters, such as defining the target
servers, the password queue retry interval, and enabling or
disabling a target server, are used when authenticating and sending
password notifications to the target server running FIM.
- The service configuration is stored in Active
Directory, so it is only necessary to update the configuration on
one domain controller. Active Directory replicates the change to
all other domain controllers.
- Remote Procedure Call (RPC) server on the
server running FIM – When password synchronization is enabled,
the RPC server on the server running FIM is started, enabling it to
receive notifications from the password change notification
service. RPC dynamically selects a range of ports to use. If you
require FIM to communicate with the Active Directory forest
through a firewall, you must open a range of ports.
- Password extension DLL – The password
extension DLL provides a way to implement password set or change
operations by means of a rules extension for any database,
extensible connectivity, or file-based management agent. This is
accomplished by creating an export-only, encrypted attribute named
"export_password" that does not actually exist in the connected
directory but can be accessed and set in provisioning rules
extensions or can be used during export attribute flow. For more
information about configuring password extensions, see the FIM Developer Reference.
Preparing for password synchronization
Before you set up password synchronization for your FIM and Active Directory environment, verify the following:
- FIM is installed according to installation
- Management agents for the connected data
sources to be managed for password synchronization are already
created and the objects are being successfully joined and
To set up password synchronization:
- Extend the Active Directory schema to
add the classes and attributes necessary for installing and running
the password change notification service (PCNS).
- Install the PCNS on each domain
- Configure the service principal name (SPN) in
Active Directory for the FIM service account.
- Configure the PCNS to communicate with the
target FIM service.
- Configure the management agents for the
connected data sources to be managed for password
- Enable password synchronization on FIM.
For more information about setting up password synchronization, see Using Password Synchronization.
Password synchronization process
The process of synchronizing a password change request from an Active Directory domain controller to other connected data sources is shown in the following diagram:
- The user initiates the password change request by pressing
Ctrl+Alt+Del. The password change request, including the new
password, is sent to the nearest domain controller.
- The domain controller records the password change request and
notifies the password change notification filter (Pcnsflt.dll).
- The password change notification filter passes the request to
the password change notification service (PCNS).
- The PCNS verifies the password change request, then
authenticates the service principal name (SPN) by using Kerberos,
and forwards the password change request in encrypted RPC to the
FIM target server.
- FIM validates the source domain controller, then uses the
domain name to locate the management agent that services that
domain, and uses the user account information in the password
change request to locate the corresponding object in the connector
- By using the join table information, FIM determines the
management agents that receive the password change, and pushes the
password change out to them.
Password synchronization security
The following password synchronization security concerns have been addressed:
- Authentication from the password
source – When the password change notification is received,
Kerberos authentication is done by FIM as well as the source domain
controller to ensure both the recipient and sender are valid. Upon
receiving a password change notification, FIM ensures that the
caller has an account in the Domain Controllers container of the
domain it belongs to.
- Failed password synchronization to a
target data source due to an insecure connection – If the
management agent has been configured to require a secure connection
but one is not detected, the synchronization fails. Synchronization
still occurs if the management agent has been configured to allow
non-secure connections. Allowing non-secure connections should be
enabled only after examining and understanding the risks
- Secure storage of passwords – FIM only
stores encrypted passwords temporarily. All passwords received by
FIM during a password change notification operation are encrypted
as soon as they enter the FIM process. The moment they are
successfully sent out to the target connected data source, they are
decrypted, and the memory storing the password is immediately
cleared. If the operation fails to write to the target connected
data source, the encrypted password is stored until all retry
attempts have been attempted, and then is cleared from memory.
- Secure password queues – Passwords
stored in PCNS password queues are encrypted until they are
Password synchronization error recovery scenarios
Ideally, whenever a user changes a password, the change is synchronized with no errors. The following scenarios describe how FIM recovers from common synchronization errors:
- Failed password notification from Active
Directory to FIM – This can occur if the network is down, or if
the server running FIM is unavailable. The password change
notification remains queued locally on the domain controller by the
PCNS. The PCNS reattempts the notification according to its retry
- Failed password synchronization to a
target data source – This can also occur if the network is
down, or if the target data source is unavailable. The password
change notification is queued and retried according to the
management agent's configuration for retry attempt and retry
interval. All passwords are encrypted while they are stored for
retry, and deleted when the operation succeeds or the retry limits
- Activating a warm standby server running
FIM after a failure – In the case of the primary server running
FIM failing, you can configure a warm standby server for password
synchronization, and activate it with no loss of password changes.
For more information, see MIISactivate: Server
Some failures are serious enough that no amount of retries is likely to result in a successful operation. In these cases, an error event is logged and the process is stopped. The following events are not retried:
A password synchronization set operation was not performed because the timestamp was out of date.
The password synchronization set operation was not processed because password management is not enabled on the target management agent.
The password synchronization set operation was not processed because password management is not configured on the target management agent.
The password synchronization set operation was not processed because the target connector space object could not be found in the connected directory.
The password synchronization set operation failed because the password does not satisfy the password policy of the target system.
The password synchronization set operation failed because the password extension for the target management agent is not configured to support password set operations.
User-based password change management
FIM provides two web applications that use Windows Management Instrumentation (WMI) for resetting passwords. As with password synchronization, you activate password management when you configure the management agent in Management Agent Designer. For information about password management and WMI, see the FIM Developer Reference.
FIM creates two security groups during installation that specifically support password management operations:
- FIMSyncBrowse—Members of this group
have permission to gather information about a user's accounts when
doing search operations with WMI queries.
- FIMSyncPasswordSet—Members of this
group have permission to perform account search, password set, and
password change operations using the password management interfaces
For more information about FIM security groups, see Using Security Groups.