none
FIM 2010 (R2) Password Extension not calling ChangePassword() RRS feed

  • Question

  • Hi Guys,

    as the title states, I'm having trouble with the PasswordSynchronization in FIM. The problem is, that the "ChangePassword()" method in my extension never get's called. Regardless of how I "change" a password FIM always calles the "SetPassword()" method (via "Reset password..." as admin as well as when I'm logged in as the user and use "Change password...").

    The way I understand it, the ChangePassword() method should get called, when a user really changes it's password (as opposed to being reset by an admin).

    Am I missing something here? I'd be glad if s.o. could point me in the right direction...

    Thx in advance

    Friday, April 26, 2013 10:11 AM

All replies

  • There is no "Change Password" in FIM. The Change Password interface is only called if you invoke the Change Password WMI interface on the Sync Engine, but nothing in FIM will do so out-of-box.

    Where do you have a "change password" for a user? If you use ctrl-alt-del and change password it will be a password change in AD, but outgoing from AD (using PCNS) it will be a password set.

    Friday, April 26, 2013 2:42 PM
  • The ChangePassword Method in a Password Extension would get called by the Password Portal that was included with MIIS 2003. Remember that was a Password Change portal and not a password reset -- in other words you had to know the original password to use it.

    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Friday, April 26, 2013 6:14 PM
  • Hi,

    Actually, the AD Password Filter API simply doesn't receive the old password, thus a change is always treated as a set operation in FIM Syn Engine.

    See here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms721849(v=vs.85).aspx#password_filter_functions

    And here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms721876(v=vs.85).aspx

    The function that gets called to notify PCNS of a new password is defined as following:

    NTSTATUS PasswordChangeNotify( _In_ PUNICODE_STRING UserName, _In_ ULONG RelativeId, _In_ PUNICODE_STRING NewPassword );

    I hope this answers the question.

    Best regards Steffen

    • Proposed as answer by SteffenSc Saturday, April 27, 2013 7:15 AM
    • Edited by SteffenSc Friday, May 3, 2013 9:55 AM linebreaks
    Saturday, April 27, 2013 7:15 AM