The EmpowerID Domain Controller (DC) Filter is an optional plugin that you can install on all of your Active Directory domain controllers to synchronize passwords for users for their accounts in different account stores. It installs a PwdFilter and DC Filter Service on each domain controller.
When a password change occurs, PwdFilter calls the DC Filter Service, which in turn forwards the password sync request to the DCFilterService web service hosted on the EmpowerID Server, which triggers the Password Sync DC Filter workflow. The workflow takes these notifications and syncs the new password to any other user accounts owned by an EmpowerID Person as well as their Person object.
Or you can change the value specified for the RequestWorkflowID in the EmpowerID Identity Warehouse. If the value for the RequestWorkflowID is null (no workflow is specified), the password sync occurs through code; otherwise, the workflow handles the entire task. To sync to an unsupported system or provide additional logging, you can add custom logic to the workflow in Workflow Studio.
The EmpowerID DC Filter Service is configured by default to use a service identity that is mapped to an EmpowerID Person to reset user account passwords in Active Directory. However, we recommend certificate-based authentication as problems can sometimes arise when using a service identity. This topic demonstrates installing and configuring the EmpowerID DC Filter Service using certificates for authentication. In this scenario, you need two certificates:
EmpowerID needs the public key of the client certificate. The domain controller needs the public key of the EmpowerID Server certificate and the root for that certificate. You need to add these certificates to the certificate stores on each machine (the domain controller and the EmpowerID server). |
The workflow looks like this. (A description follows the diagram.)
In the diagram, we have two domains, each with two domain controllers, one EmpowerID server, and a number of native systems.
The DC Filter Service forwards the password sync request to the DCFilterService web service hosted on the EmpowerID server.
Passwords are encrypted using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. SSL/TLS and certificate authentication protect the password in transit. Note: There is no setting in EmpowerID to enable TLS, as it is based on your IIS settings. For more information, see: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview and https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol |
If so, it updates the password on the user account.
Passwords are not stored in the database. Only a hash of the password is stored. |
The DC Filter Client certificate can be SHA-2 in EmpowerID 2016 and above, but must be SHA-1 in previous versions. |
Follow this installation on each Active Directory domain controller server.
The service account for the DC Filter must have logon as a service rights on all Domain Controllers. Otherwise the EmpowerID DC Filter service will not start. You can add the user in Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment, then Log on as a service. |
Enter the credentials for the Windows service account (local admin) that is to run the DC Filter Service and click Next. This accounts reads the EmpowerID DC Filter queue and sends any password change notifications to EmpowerID. (Note that you must specify the user name in the format domain\username.)
If you prefer, you can change the service account to the Local System account on the Domain Controller. To do so, after installing the Domain Controller Filter, open services.msc and locate the EmpowerID DC Filter Service. Open the Properties dialog for the service and set the log on to Local System account. |
C:\Program Files\EmpowerID Domain Controller Filter
.C:\Program Files\EmpowerID Domain Controller Filter
directory. To specify the correct certificate for client cert authentication, on line 9, locate the clientCertificate attribute and replace the findValue value with the thumbprint of your client certificate.
<clientCertificate findValue="9D49BEF8F5D9F419D61C5061869D1F7CFAAAA377" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint"/> |
To specify the correct service contract, on line 95, locate the endpoint attribute and change the address value to point to the DCFilterService.svc and the contract value to DCFilterService.DCFilterService.
<endpoint address="https://EID.tdnflab.com/EmpowerIDWebServices/DCFilterService.svc binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_LoginService" contract="DCFilterService.DCFilterService" name="WS2007FederationHttpBinding_LoginService" behaviorConfiguration="ClientCertificateBehavior"> |
To specify the correct SSL certificate thumbprint, on line 100, locate the certificateReference attribute and copy the findValue string.
<certificateReference findValue="1F47DEA25442BCADB60BB8F5F1C6A14A9B82AC9B" isChainIncluded="false" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint"/> |
C:\Program Files\TheDotNetFactory\EmpowerID\Programs\System Certificates
, right-click EmpowerIDSystemAccessCert.pfx and select Install PFX.
|