cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD Password Hook & Installation of SAP IC

Former Member

on ‎09-18-2008 4:49 PM

0 Kudos

Hi,

the AD password hook, which is intercepting the password change on an Active Directory Domain Controller, is calling a SAP IC executable to run a job that is stored in a .dse file in the file system. This means that SAP IC needs to be installed on the domain controller. As most customers have multiple domain controllers, the AD password hook and the SAP IC need to be installed on all domain controllers.

Is there a way to avoid installing the SAP IC software on the domain controller? Customers are typically pretty restrictive about software that needs to be installed on the DC.

Best regards,

Holger

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

tim_alsop
Active Contributor
‎09-18-2008 5:08 PM
0 Kudos

You could use Active Directory authentication to logon to your systems in your SAP landscape, and then you would not need to use the hook to synchronise passwords. This is the more secure and preferred approach.

Thanks,

Tim

Show replies
Show replies
Former Member
‎09-18-2008 5:03 PM
0 Kudos

Holger,

Unfortunately this is the way all password hooks work. The Hook DLL must be installed on all Domain Controllers to catch all password change requests. The only possible workaround would be to do password resets only through self service or delegated workflows in IC.

Matt

Show replies
Show replies
Former Member
‎09-18-2008 6:29 PM
0 Kudos

Hi Matt,

I have no problem with the password hook being installed on the AD system - this is indeed the way all the password hooks work. But other password hooks typically use encrypted communication to send the password to the Provisioning System and do not require the Provisioning System to be installed on every Domain Controller.

Or is there a way to send the changed password directly to a remote IC and avoid installing the IC on every domain controller?

Best regards

Holger

Former Member
‎09-18-2008 8:40 PM
0 Kudos

Hi Holger,

Hmmm. The way I've always understood password hooks is that there's no way to direct password changes to particular domain controler(s) so therefore the hook needs to be installed on all of them. If there's a way in AD to force password change requests to particular domain controllers, then you could install the hook on only those DCs.

I believe that the password string coming from AD must come in clear but once its recieved by the Password Hook Job (which is not an IC Job, but a DSE or Maintenance node job) From this point the password can be encrypted as it is pushed to the various destinations.

The password can be encrypted from the hook DLL to the target repositories as indicated in the Password Hook Documentation

Encrypt password 
Select this check box to specify that the password should be encrypted when submitted to the notification and filter applications. This assumes that these applications are MaXware applications which are able to decrypt the password. If not checked, the password will be passed unencrypted.
This is important for two reasons. The password is submitted to the filter and notification programs as parameters on the command line. Thus, the password should be encrypted.
Encrypting the password also ensures that a user is not able to execute code disguised as a carefully crafted password. The filter and notification programs are executed with administrator privileges, and such code will be executed with administrator privileges.

.

Matt

Ask a Question