Here's a way to verify (for certain) that the Active Directory (AD) password interceptor DLL (SAILPOINTPWDINT.dll) is "registered" properly and is "seen" by the AD service on a domain controller. This could be helpful with troubleshooting password interceptor issues, verifying an upgrade was successful, etc.
A process called "lsass.exe" is related to AD authentication mechanisms (again in the context of a Windows server operating as a domain controller).
When you install the password interceptor for AD, part of the install places the SAILPOINTPWDINT.dll in the %systemRoot%\System32 directory.
Another part creates a registry entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. The REG_MULTI_SZ value called Notification Packages is of particular note here - SAILPOINTPWDINT is added to this list during install to tell Windows to load the new DLL for password notification.
After install does these tasks, you are required to restart the domain controller after installation so the new DLL can be loaded to work with the windows authentication mechanisms (otherwise no passwords will be caught for processing).
By evaluating what DLLs are associated with the lsass.exe process, you can see if the SAILPOINTPWDINT.dll is indeed loaded.
Process Explorer is a tool that provides and easy way to verify this (which may be handy in troubleshooting cases).
Here's a link to download the tool - Process Explorer
Another nice thing about this tool - you can just drop it on the server and run it as administrator to do the checking - and you don't need to install anything.
This makes it clean and portable to use.
I'll skip a formal intro to process explorer here and go right to finding if out if our DLL is loaded:
- Run process explorer as administrator
- Find "lsass.exe" in the process list and left click it to select it
- Use the top menu to select these options
- Verify the lower pane will show DLLs via DLLs via View > Lower Pane View > DLLs
- Show the lower pane via View > Show Lower Pane
- You will now see a pane with a list of DLLs - scroll through it to find SAILPOINTPWDINT.dll
- If you don't find it in that list, it means it is not loaded by lsass.exe (which means when lsass.exe gets a password, it's most likely unable to send it to the password interceptor service)
- Note you can also right-click the SAILPOINTPWDINT.dll entry in the bottom pane and select Properties in the context menu - this will show the DLL version loaded and running.
I've got a screenshot below of a sandbox system with the DLL loaded properly:
Properties of the highlighted entry:
