Verifying SailPointPwdInt.dll is loaded

9 Kudos

Here's a way to verify (for certain) that the Active Directory (AD) password interceptor DLL (SAILPOINTPWDINT.dll) is "registered" properly and is "seen" by the AD service on a domain controller. This could be helpful with troubleshooting password interceptor issues, verifying an upgrade was successful, etc.

A process called "lsass.exe" is related to AD authentication mechanisms (again in the context of a Windows server operating as a domain controller).

When you install the password interceptor for AD, part of the install places the SAILPOINTPWDINT.dll in the %systemRoot%\System32 directory.

Another part creates a registry entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. The REG_MULTI_SZ value called Notification Packages is of particular note here - SAILPOINTPWDINT is added to this list during install to tell Windows to load the new DLL for password notification.

After install does these tasks, you are required to restart the domain controller after installation so the new DLL can be loaded to work with the windows authentication mechanisms (otherwise no passwords will be caught for processing).

By evaluating what DLLs are associated with the lsass.exe process, you can see if the SAILPOINTPWDINT.dll is indeed loaded.

Process Explorer is a tool that provides and easy way to verify this (which may be handy in troubleshooting cases).

Here's a link to download the tool - Process Explorer

Another nice thing about this tool - you can just drop it on the server and run it as administrator to do the checking - and you don't need to install anything.

This makes it clean and portable to use.

I'll skip a formal intro to process explorer here and go right to finding if out if our DLL is loaded:

Run process explorer as administrator
Find "lsass.exe" in the process list and left click it to select it
Use the top menu to select these options
- Verify the lower pane will show DLLs via DLLs via View > Lower Pane View > DLLs
- Show the lower pane via View > Show Lower Pane
You will now see a pane with a list of DLLs - scroll through it to find SAILPOINTPWDINT.dll
- If you don't find it in that list, it means it is not loaded by lsass.exe (which means when lsass.exe gets a password, it's most likely unable to send it to the password interceptor service)
Note you can also right-click the SAILPOINTPWDINT.dll entry in the bottom pane and select Properties in the context menu - this will show the DLL version loaded and running.

I've got a screenshot below of a sandbox system with the DLL loaded properly:

Properties of the highlighted entry:

sushil_singh · ‎Jan 05, 2016

The download link seems to have changed. Try this now:

Process Explorer

justin_choponis · ‎Jan 05, 2016

updated the doc - thanks!

Eric_Mendes_CISSP · ‎Sep 14, 2017

Very helpful indeed! Many thanks!

joseph_hobbs · ‎Feb 21, 2018

We ran into this as well with one of our domain controllers early in the deployment of IdentityIQ. I ended up writing a PowerShell script we could run to get this information. The idea was that we would run it on our DCs periodically and monitor the results. If one of them started reporting false, we'd know there was an issue and rectify it...

acosson · ‎Sep 25, 2018

Hi,
I try to install PWI service on my AD server and i had this issue.

SAILPOINTPWDINT.dll is not in the list of DLLs of Isass.exe.

It looks like my PWI service is not doing his job because of that issue.

How can I solve it ?

Thanks.

justin_choponis · ‎Sep 25, 2018

Besides walking through the install guide and double-checking configuration, my suggestion would be to open a support case if you are having trouble. There may be a known fix for your specific issue; I'm just not able to troubleshoot issues as a comment on this document. Another option would be to post to the IdentityIQ forums here on Compass.