/
Installing the EmpowerID Domain Controller Filter

Installing the EmpowerID Domain Controller Filter

The EmpowerID Domain Controller (DC) Filter is an optional plugin that you can install on all of your Active Directory domain controllers to synchronize passwords for users for their accounts in different account stores. It installs a PwdFilter and DC Filter Service on each domain controller. 

When a password change occurs, PwdFilter calls the DC Filter Service, which in turn forwards the password sync request to the DCFilterService web service hosted on the EmpowerID Server, which triggers the Password Sync DC Filter workflow. The workflow takes these notifications and syncs the new password to any other user accounts owned by an EmpowerID Person as well as their Person object. 

Or you can change the value specified for the RequestWorkflowID in the EmpowerID Identity Warehouse. If the value for the RequestWorkflowID is null (no workflow is specified), the password sync occurs through code; otherwise, the workflow handles the entire task. To sync to an unsupported system or provide additional logging, you can add custom logic to the workflow in Workflow Studio.

The EmpowerID DC Filter Service is configured by default to use a service identity that is mapped to an EmpowerID Person to reset user account passwords in Active Directory. However, we recommend certificate-based authentication as problems can sometimes arise when using a service identity. This topic demonstrates installing and configuring the EmpowerID DC Filter Service using certificates for authentication.

In this scenario, you need two certificates:

  • A client certificate issued to the domain controller

  • The EmpowerID Server certificate (the certificate used in the EmpowerID deployment)

EmpowerID needs the public key of the client certificate. The domain controller needs the public key of the EmpowerID Server certificate and the root for that certificate. You need to add these certificates to the certificate stores on each machine (the domain controller and the EmpowerID server).

The workflow looks like this. (A description follows the diagram.)

In the diagram, we have two domains, each with two domain controllers, one EmpowerID server, and a number of native systems.

  1. When a user account password change occurs, the PwdFilter calls the DC Filter Service.

  2. The DC Filter Service forwards the password sync request to the DCFilterService web service hosted on the EmpowerID server.

  3. The Password Sync DC Filter workflow verifies whether the request is authorized.

  4. If so, it updates the password on the user account.

  5. The workflow then checks whether Allow Password Sync is enabled on the related account store, and whether the user account is linked to a person.

  6. If so, it updates the password on the person and checks to see whether the person has more accounts with Allow Password Sync enabled.

  7. If so, it updates the password on any user accounts linked to the person that have Allow Password Sync enabled.

  8. Then it checks other domains to see whether they have domain controllers, and updates the password as appropriate.