Technology Platform Support Windows and Active Directory

Windows and Active Directory Integration

P-Synch®, a component of Hitachi ID Management Suite®, is enterprise password management software. It reduces the frequency of help desk calls, improves user productivity and strengthens security with password synchronization, self-service password reset, help desk password reset and simplified administration of other authentication factors, such as hardware tokens and biometric samples. P-Synch includes connectors to manage passwords on over 70 types of systems.

Windows and Active Directory Integration

P-Synch uses the NTLM client built into the Windows server OS to manage passwords on Windows NT servers and domains.

P-Synch uses either the NTLM client or the LDAPS client (through ADSI) built into the Windows server OS to manage passwords on Windows / Active Directory domains. Please note that use of LDAPS requires that an SSL certificate be installed on DCs.

Active Directory target integration supports multiple, concurrent forests and domains and does not require any trust relationships.

The P-Synch Active Directory agent is able to dynamically identify the most suitable domain controller(s) on which to make password updates, in order to expedite replication of the new password and intruder lockout flag for the user. For example, a password update and cleared lockout may be set on a DC in the same site as the user's current workstation (identified by IP address) or nearest the user's home directory file server.

In either case, no agent software is installed on the target Windows domain controllers.

Triggering Password Synchronization

Native password changes made on Windows servers and domain controllers can trigger transparent password synchronization.

Updating Cached Credentials

After a password change with a web-based password management system, the cached credentials on a user's workstation may become unsynchronized with the user's new domain password:

• When a user signs into Windows, Windows stores his domain credentials in a cache in memory.

• When the user signs into other Windows resources (e.g., shares, printers, Outlook/Exchange mail boxes, IIS web sites), Windows first tries its cached domain password and if this fails Windows prompts the user to type the correct password.

• If the user changes his domain password from the workstation with the Ctrl-Alt-Delete process, Windows updates the local cache, and there is no problem.

• If the help desk, another workstation or a web application changes the user's password on the domain, then the workstation cache will be invalidated (i.e., now has an incorrect value.) Subsequent attempts to access network resources from the workstation will still use the cached password, will fail and will increment the user's "failed login attempts" counter. This usage can ultimately triggers an intruder lockout for the user.

• Intruder lockouts feed back to the help desk as increased call volume.

If a user signs off and back-on, after a web-based password change, the Windows cache is refreshed and the intruder lockout problem described above is averted. This approach is not user friendly, however.

To eliminate this problem, P-Synch includes an ActiveX component that can silently update the user's Windows password cache after a web-based password change.

The cache-updating ActiveX component works on Windows 2000 and XP workstations.

© Hitachi ID Systems, Inc. 2008. All rights reserved.