Monitoring transparent password synchronization
Managing the Password Manager Service queue
Monitor transparent password synchronization by running synchronization reports. You may need to remove queued items to improve performance.
By selecting unwanted queued transparent synchronization items and removing them, the items will not be retried to synchronize to their destination targets and will be marked as failed synchronization.
To remove items from the transparent synchronization queue:
Click Manage the system > Maintenance > Services.
Select Bravura Security (idpm ) Password Manager Service.
Select Manage work queue in the bottom table.
Enter search criteria and click Search.
Select the items you want to remove and click Cancel.
Monitoring transparent password synchronization on Windows servers
Monitor the health of the Password Change Notification Module on Windows NT PDCs and Active Directory DCs. Run netstat -an to see whether there are many (more than 20 or 30) TCP connections pending between the PDC/DC and the Bravura Pass server. If so, there may be a problem with the Bravura Pass server.
Sometimes, you may find that the Password Manager service (idpm ) appears to be failing to synchronize passwords changed on a Windows server. In many cases this is caused by the Password Change Notification Module interceptor (psintcpt.dll) timing out before it has communicated a password change to idpm . The default timeout period for psintcpt.dll is 60 seconds. You can extend this timeout period in the intcptsvc.cfg file.
See Password interceptor service (intcptsvc) configuration for more information.
Warning
It is strongly recommended that you edit intcptsvc.cfg only under the direction of a Bravura Security support technician.
The password interceptor service, intcptsvc, is part of the Bravura Security Password Change Notification Module, which also includes the psintcpt.dll. The service queues DLL requests and communicates with the Password Manager service (idpm). The DLL is loaded into the Windows Local Security Authority (LSA) policy to capture native password changes.
This section explains how you can extend functionality of the Password Change Notification Module to include using different interceptor settings based on user’s DN, group and attributes.
This service is installed by intcpt.msi or intcpt-64.msi on a Windows transparent password synchronization trigger.
You can configure the interceptor service, intcptsvc, to include or exclude certain users when they make password change requests on Windows trigger systems. The excluded requests are not sent to the Password Manager service (idpm), but are instead processed by the Windows password change facility as usual. This can be used to reduce network traffic between the trigger system and idpm.
You can configure the Password Change Notification Module filter using the configuration file, intcptsvc.cfg, located in:
<Program Files path>\Bravura SecurityPassword Filter\service\
See the intcptsvc.cfg file for basic instructions, and samples located in:
<Program Files path>\Bravura SecurityPassword Filter\samples\
Caution
Do not alter instsvc.cfg unless you know what you are doing.
For deployments on Windows NT environments, areas that are commented out should not be edited, due to limitations of Windows NT.
The sample intcptsvc.cfg file below shows a modified configuration file for an Active Directory environment. In this file:
The
QueryAttributesgroup has been edited to specify attributes to query.Using
QueryAttributes = Allmay slow down interceptor performance because it needs to retrieve all user attributes that have values (non blank). This option is suitable for designing the configuration at the early stage. You can then specify individual attributes once you know what you are looking for.Bypass defines matching that will not be sent to the Password Manager service for password strength checking and password synchronization.
When used with the NotAny operation, it includes the defined accounts; that is to say, "do not skip these accounts".
BypassNotifydefines matching accounts that will not be sent to the Password Manager service for password synchronization.The configuration file maps to one Password Manager service only. The case below is mapped to the service at IP address 10.0.5.8, port 3334. This can be the virtual IP of a Network Load Balancer.
One physical Active Directory DC maps to two logical Target IDs in Bravura Security Fabric:
End_UsersandAdmin_Userslogical targets in Bravura Pass. These two targets map to different target groups with their own password policies.
The idea here is that the Active Directory accounts meet administrator criteria:
Is, at least, a member of specified administrator groups; specified by the Bypass operation "
NotAny" "memberof", which has the effect of including defined accounts.Is not the specified account names;
GuestandKrbtgt.Is not a disabled account; specified by
userAccountControl match "([0-1])*10")
If an administrator is a member of Domain Administrators group, his changing password will be examined by the Password Manager service, but it will not be synchronized to other associated targets. Instead, his password will be changed locally only.
See the Sample intcptsvc.cfg file for more information.
See also
Use the following utilities, shipped with the Password Change Notification Module, to help write the configuration file:
Use the
userattrsprogram to query account attributes in Microsoft Active Directory; to find specific useful attributes that may be used as search criteria in designing theintcptsvcconfiguration file.Use the
verifycfgprogram to verify that a given account will be bypassed by password strength checking and/or synchronization, according to per-target criteria set in the specifiedintcptsvcconfiguration file. Neither actual account strength checking, nor synchronization, is performed by this utility. This tool is useful for verifying whether the configuration file is designed properly before putting the interceptor online.
1# KVGROUP-V2.0
config "" = {
3 PMServer = {
Address = 10.0.5.8;
5 Port = 3334;
ConnectTimeOut = 10; # default timeout 10 seconds
7 # How many times retry if connection or communication failed
MaxRetry = 10; # default maximum retry times is 10;
9 RetryDelay = 5; # default interval between each retry
};
11 # The total timeout for doing password strength check on all targets
StrengthCheckTimeOutSeconds = 60;
13 # How many time retry if IDPM server returns recoverable error
StrengthCheckRetry = 3;
15 # Queue polling time
QueuePollTimeSeconds = 60;
17 # Queued item will discarded if exceed this setting
NotificationExpireSeconds = 86400;
19 # Discard this notification if it has been tried max times
DiscardNotificationAfterTried = 100;
21 # if an exception occurred, 1 -- return StrengthCheck succeeded, 0 -- return strength check failed
BypassStrengthOnException = 1;
23 MaxSessionLifeSeconds = 60; # default max life time for session is 60
25 # regular expression to bypass both strength check and password change notification based on
# sAMAccountName before retrieving account attributes.
27 # Default setting is for bypassing empty user name and computer account
sAMAccountNameBypassRegEx = "^\\s⋆$|^.⋆\\$+$";
29
# ADsPath has the syntax as: LDAP://HostName[:PortNumber][/DistinguishedName]
31 # following variables can be used for the HostName and DistinguishedName
# %PDC% -- primary domain controller
33 # %DC% -- default domain controller
# %DN% -- default naming context
35 ADsPath = "LDAP://%DC%/%DN%";
37 # LDAP search filter for querying account's attributes, the account name variable %USER% can be used in the filter
# %USER% -- the account name
39 # ADsSearchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=%USER%))";
ADsSearchFilter = "(sAMAccountName=%USER%)";
41
# QueryAttributes defines attributes that will be used by the PSLang BypassCheck
43 # function and the Target-based bypass check for integrating with Active Directory.
# There is one inherent attribute, '_AccountName_'; this is the only
45 # attribute that can be supported on a non-Active Directory platform.
# Following are sample attributes for and Active Directory provider.
47 # Specifying "All" as QueryAttributes, instead of a list of attributes,
# indicates to query all possible attributes for the user.
49 # QueryAttributes = All;
51
# Active Directory attributes sample
53 QueryAttributes = {
"distinguishedName";
55 "userAccountControl";
"memberOf";
57 "objectSid";
"pwdLastSet";
59 "replPropertyMetaData";
"whenCreated";
61 "whenChanged";
"logonHours";
63 "lastLogon";
};
65
67
Targets = {
69 End_Users = {
# IDPM return code:
71 # 0 -- Communication failure
# 1 -- Communication timeout
73 # 99 -- IDPM service internal database access failure
# 100 -- Weak password
75 # 101 -- Access denied ( ACL )
# 102 -- User not found
77 # 103 -- User has been locked out
# 104 -- User has not been registered
79 # 105 -- User has been disabled
# 106 -- Account not specified
81 # 107 -- TargetID not specified
# 119 -- Invalid operation code
83 # 120 -- Invalid request version
# 200 -- Good password
85 CheckStrengthFailIfIDPMReturn = { 100; };
CheckStrengthOnly = 0;
87 # If the target longid isn't the default sAMAccountName, define the longid as:
# LongID = "%sAMAccountName%";
89 # LongID = "DomainName\\%sAMAccountName%";
# LongID = "%distinguishedName%";
91 LongID = "LongIDMatchesPMTarget";
93 # Target based bypass setting is based on 'Condition Group', the 'Condition Group' has below definitions:
#
95 # Defines the conditions to bypass both strength check and password change notification
# Bypass "LogicalOperation" = {
97 # ConditionGroup1;
# ConditionGroup2;
99 # ...
# };
101 #
# ConditionGroup:
103 # LogicalOperation [Attribute] = {
# Expression1;
105 # Expression2;
# ConditionGroup1;
107 # ConditionGroup2;
# };
109 #
# LogicalOperations:
111 # "Any", "All", "NotAny", "NotAll"
#
113 # ComparisonOperators:
# Equal, NotEqual, Like, NotLike, Match, NotMatch, Great, Less, GreatEqual, LessEqual
115 # SpecialOperations: Exists, NotExists
#
117 # Expression:
# ComparisonOperator[:OperationModifier] = Pattern;
119 # SpecialOperations;
#
121 # The 'Match' and 'NotMatch' use TR1 Regular Expression standard and ECMA script grammar
# The 'OperationModifier' is an option for the 'ComparisonOperation', specify 'i'
123 # to make comparison case insensitive. The KVG expression treats value and
# pattern as string by default, use the 'OperationModifier' to specify type or transform
125 # both value and pattern before make comparision.
# 'i' -- insensitive case comparison
127 # 'b' -- convert decimal integer to bit string
# 'h' -- convert decimal integer to hexadecimal string
129 # 'B' -- convert hex string to bit string
# 't' -- convert file time integer to yyyymmddhhmmss UTC time string
131 # 'I' -- comparison as 64 bit integer for arithmetic comparison operators
#
133 # Defines the condition to bypass password change notification
# BypassNotify "LogicalOperation" = {
135 # ConditionGroup1;
# ConditionGroup2;
137 # ...
# };
139 # For example, we would like to bypass password both strength check and
# password change notification on this target for any account name starts
141 # with root or Admin or users in Administrators group or users in Managers
# group:
143 # Bypass "Any" = {
# "Any" "_AccountName_" = {
145 # Like = "root⋆";
# Like = "Admin⋆";
147 # };
# "Any" "memberOf" = {
149 # Equal = "Administrators";
# Equal = "Managers";
151 # };
# };
153
CheckStrengthFailIfIDPMReturn = { 100; };
155 CheckStrengthOnly = 0;
157 Bypass "Any" = {# Bypass strength check to HiPM
"Any" "userAccountControl" = {
159 # Disabled accounts are Bypassing HiPM strength check.
# Disabled accounts control numer is 2 (binary -> 10).
161
# convert userAccountControl number from decimal to bit
163 # string. Then use regular expression for comparison.
match:b = "([0-1])⋆10";
165 };
167 "Any" "logonHours" = {
Match:B = "([1])⋆";
169 };
171 "Any" "pwdLastSet" = {
match:t = "1290538([0-9])⋆";
173 };
175 "Any" "lastLogon" = {
Less:I = 128539593944756250;
177 };
179 "Any" "_AccountName_" = {
# put the computer accounts below that are bypassing HiPM
181 Equal:i = "Guest";
Equal:i = "krbtgt";
183 Equal:i = "LethBridgeUser1";
};
185
"Any" "distinguishedName" = {
187 Like:i = "⋆OU=Calgary⋆";
};
189
"Any" "memberOf" = {
191 # The accounts have membership in the following groups are
# bypassing HiPM
193
Like:i = "CN=Administrators,CN=Builtin⋆";
195 Like:i = "CN=Domain Admins⋆";
Like:i = "CN=Enterprise Admins⋆";
197 };
};
199
201 BypassNotify "Any" = { # Bypass password synchronization to HiPM
"Any" "_AccountName_" = {
203 Equal = "LethbridgeUser2";
};
205 }; #End of BypassNotify
}; #End of 'End_Users' Target
207
209 Admin_Users = {
CheckStrengthFailIfIDPMReturn = { 100; };
211 CheckStrengthOnly = 0;
# If the target longid isn't the default sAMAccountName, define the longid as:
213 # LongID = "%sAMAccountName%";
# LongID = "DomainName\\%sAMAccountName%";
215 # LongID = "%distinguishedName%";
LongID = "LongIDMatchesPMTarget";
217
Bypass "Any" = {# Bypassing Strength Check to HiPM
219 "Any" "userAccountControl" = {
# Disabled accuonts are Bypassing HiPM strength check
221 match:b = "([0-1])⋆10";
};
223
"Any" "_AccountName_" = {
225 # put the computer accounts below that are BYPASSING HiPM
Equal:i = "Guest";
227 Equal:i = "krbtgt";
};
229
"NotAny" "memberOf" = {
231 # The accounts have membership in the following groups are # SENDING to HiPM
233 Like = "CN=Administrators,CN=Builtin⋆";
Like = "CN=Domain Admins⋆";
235 Like = "CN=Enterprise Admins⋆";
};
237 };
239
BypassNotify "Any" = { # Bypassing Password Synchronization to HiPM
241 "Any" "memberOf" = {
Like = "CN=Domain Admins⋆";
243 };
245 }; #End of BypassNotify
}; #End of 'Admin_Users' Target
247
249
251
};
253 };