Windows and Active Directory Integration
Hitachi ID Password Manager (formerly P-Synch), a component of the Hitachi ID Management Suite, actually supports more than just passwords -- it is, in reality, a platform for managing authentication factors and encryption keys. Password Manager is used by many organizations to reduce the volume of IT support calls relating to passwords and PINs, to improve user productivity by eliminating login problems and to strengthen the security of passwords and of user support processes. Password Manager includes built-in connectors to manage passwords on over 113 kinds of systems and applications.
Windows and Active Directory Integration
Password Manager uses the NTLM client built into the Windows server OS to manage passwords on individual Windows servers and on Active Directory domains.
Integration with Active Directory domains is also supported using LDAPS to one or more domain controllers. Please note that use of LDAPS requires that an SSL certificate be installed on each target DC.
Password Manager can integrate with multiple domains, in multiple forests at the same time. Trust relationships are not required to do this.
The Password Manager Active Directory connector is able to dynamically identify the most suitable domain controller(s) on which to make password updates, in order to expedite clearing of intruder lockouts where required. For example, a password update and concurrent unlock of a user can be directed to DCs selected specifically for that user -- at the user's home site, near the user's mail server, near the user's current browser IP, etc.
No agent software is installed locally on Windows servers and DCs to set passwords, clear lockouts or make other updates on Windows and AD.
Triggering Password Synchronization
Native password changes made on Windows servers and domain controllers can trigger transparent password synchronization.
Updating Cached Credentials
After a password change with a web-based password management system, the cached credentials on a user's workstation may become unsynchronized with the user's new domain password:
- When a user signs into Windows, Windows stores his domain
login ID and password in a cache in memory.
- When the user signs into other Windows resources (e.g., shares,
printers, Outlook/Exchange mail boxes, IIS web sites), Windows
first tries its cached domain password and if this fails Windows
prompts the user to type the correct password.
- If the user changes his domain password from the workstation with
the Ctrl-Alt-Delete process, Windows updates the local cache,
and there is no problem.
- If the help desk, another workstation or a web application
changes the user's password on the domain, then the workstation
cache will be invalidated (i.e., now has an incorrect value.) Subsequent
attempts to access network resources from the workstation will
still use the cached password, will fail and will increment the
user's "failed login attempts" counter. This usage can ultimately
triggers an intruder lockout for the user.
- Intruder lockouts feed back to the help desk as increased call volume.
If a user signs off and back-on, after a web-based password change, the Windows cache is refreshed and the intruder lockout problem described above is averted. This approach is not user friendly, however.
To eliminate this problem, Password Manager includes an ActiveX component that can silently update the user's Windows password cache after a web-based password change.
The cache-updating ActiveX component works on Windows 2000 and XP workstations.