cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password Hook Configuration in IdM

former_member701257
Explorer

on ‎01-21-2011 8:15 AM

0 Kudos

Dear Experts,

Currently I'm working on an IDM password hook implementation. I'm very new to this and need you expert advice on how to implement this scenario.The customer already have a CUA in the landscape and they are would also continue using it. They want IDM only to synchronize the ABAP password with that of windows AD using the password hook functionality of IDM.

I've installed the IDM runtime engine.MC and the dispatcher on a seperate machine. Now I've to install the password hook on AD and then create provisioning jobs from IC to synchronize the password to the connected ABAP systems

I've some specific qustions on this -

1 - The inital load from the CUA works fine but do I also need to read the passwords from CUA.

2 - How will the AD know where the IDM is located. Do I need to install runtine components on AD also.

3 - The pssword hook configuration will be done on the AD.

4 - Once this is complete, how do I create a job that picks up this changed password and updates the Identity Store

Any help on this would be highly appreciated.

Regards,

Amlan

Edited by: Amlan Dutta on Jan 21, 2011 9:15 AM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎01-27-2011 10:23 AM
0 Kudos

Hi Amlan,

I've created a how to guide on my on, extending the existing guide, or make it more clearly. But my experiences are from the PasswordHook of IDM 7.0. In my opinion this tool hasn't changed deeply.

l hope, it will be helpful to you.

1. You have to Install the PasswordHook and the DSERT (Data Synchronisation Engine RunTime) on one of your DCs.

2. You have to check each configuration step within the regestry. For this please use the following regestry key (may be it differs from your setting):

My Computer\HKEY_LOCAL_MACHINE\System\controlset001\control\lsa\MxPwdHook

3. Within the argument line, please encapsulate the argument %1 with "" to make sure, that in case of <Space>-charakters within the loginname the right string used for the argument %2.

4. for every field, not containing any content, please ensure by using the registry, that this field is realy empty. During my tests I found out, that some fields are containing <Space>-charakters that can't deleted by the configuration programm.

If you have any further questions, don't hesitate.

Kind regards,

Achim

Show replies
Show replies
former_member2987
Active Contributor
‎01-27-2011 2:01 PM
0 Kudos 
1. You have to Install the PasswordHook and the DSERT (Data Synchronisation Engine RunTime) on one of your DCs.

I belive best practice is to install the Hook/DSERT.EXE on all DC's for best response.

M

Former Member
‎01-28-2011 10:22 AM
0 Kudos

Hi,

I think you HAVE to install the password hook on all DCs. The password hook is intercepting the password before it is being encrypted and is sending it to the IDM system. A windows workstation send the new password to any domain controller. This means that you will not get all passwords if the password hook is not installed on all domain controllers.

Best regards

Holger

former_member701257
Explorer
‎01-28-2011 10:39 AM
0 Kudos

Hi Guys,

Thank you all for your answers. Now I understand that I'll have to install DSE Runtime and password hook in our DC.

However, What I still want to know are -

- Once the password hook is configured in the DC, I need to create a job in my IC which picks up the password and write it to a flat file.

- How do I encrypt the password before writting it to the flat file.

- Once the password is written in the encrypted form in the flat file I need to create a job to update my MX_PERSON with this pencrypted password

- Provisioning job to update this changed password to the ABAP system - How do I identify which systems the user has access to.

Regards,

Amlan

Former Member
‎01-28-2011 10:53 AM
0 Kudos

Hi Amlan

>Once the password hook is configured in the DC, I need to create a job in

> my IC which picks up the password and write it to a flat file.

why do you want to write the password into a file? The default way is to install the IDM runtime on all DCs and use the password as an input parameter. The better option yould be to use the password hook to call a program that would send the password via VDS to the IDM (but you have to code that yourself).

>Once the password is written in the encrypted form in the flat file I need

> to create a job to update my MX_PERSON with this pencrypted password

>Provisioning job to update this changed password to the ABAP system -

>How do I identify which systems the user has access to.

If you use the ABAP provisioning framework, the attribute ACCOUNT<repository> should be set if the user has an account on that system.

Best regards

Holger

Ask a Question