The Password Interceptor will intercept the Passwords from AD Domain Controller and pass it to IIQ to enabling Password Sync with other systems like OUD/Directory System.
Installation has to be done differently in Primary and Secondary DCs. Primary domain controller is always the first domain controller the password interceptor is manually installed. Secondary domain controllers are the remaining domain controllers where the configuration and keys are replicated, in addition to the installation
Please go to the Compass link below for more details.
Uninstallation of Password Interceptor Client can be performed using one of the following methods:
3. Using the Programs and Features Console:
3. Restart the Server
Verification of Uninstallation
Note: PowerShell script has all checks as part of prerequisite.
(default location: C:\ProgramFiles)
Add below config details (Mandatory Parameters)
Optional parameters:
The screen shows the confirm installation page.
These access tokens represent encrypted form of "user:password". There is a length restriction in SCP keywords, hence we split in multiple tokens. Also, first we encrypt credential using a 256 bit symmetric key using aes-256-cbc, and then that symmetric key is encrypted with RSA key. And then these two cipher texts are stored in these tokens in scp object.
Above is manual installation , for automated one , please follow below step
The Servers on which the installation needs to be done, should be up and running.
The implementer account (used in BSA tool) used for installing PWI should have required rights, AD Directory access, Registry Editor access and Windows Service access.
BSA job should be created with below steps.
step 1 for pre requisite check using PowerShell script (write script to check prerequisite)
Step 2 installation of PWI using VB script/package. (script needs to be created)
Step 3 Reboot server.
Step 4 Copy ADKeys.xml from primary server
Step 5 Script run to import key file with restart of services.
Based on domain packages should be created and placed on server. Each domain has different OU’s (example : DC=zone1, DC=zone2, DC=zone3)
DC=SailPoint, should be used for Prod and for dev DC=SailPointDev
Note: If there is already any Machine keys file available or any registry available, that should be removed through PowerShell script (step 3.a).
Login to the BSA tool and navigate to the path where installation script is : [/BladeLogic/Jobs/Software_Repository/SailPoint/<domain>/<domain script>] for <domain> and click on Execute Against.
Sample :
WebServicesExecutor” capability is the only privilege that an account needs, in order to invoke the PWI rest service at IIQ/Onecert side
Password Interceptor for Microsoft Active Directory now communicates to IdentityIQ server using version 1.2 of TLS protocol, by default .Net 4.5 and above.
Q: When file is created and how?
ADKeys.xml is a RSA key container, created when we run
PwdClient.exe –exportKeys command.
Q: What are the implications of using site specific encryption?
Default: Password Interceptor Client Home folder
For example, -f "C:\Program Files\SailPoint\ADPwdClient"
AD to IdentityIQ --> Password interceptor client for AD picks up new password, sends it to IdentityIQ and IdentityIQ starts a workflow to distribute it to other systems.
The password interception happens immediately, unless some network issues are there, or IdentityIQ is unreachable. In that case, the intercepted password is kept by the PWI client, which will retry a number of times to deliver it to IdentityIQ. It stays in queue for 24 hours (by default and can be edited).
The following points describe the sequence of events triggered when an Active Directory user changes password:
NOTE:
Password Interceptor must be installed on every Domain Controller (that's where the LSA service runs and detects password change request for Active Directory).
Password Interceptor monitors LSA service to intercept password.
The DC is the only place where password can be captured in clear text.
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
PwiClient.exe -user “<username>” -password “<password>”