none
Can FIM safely change user passwords in AD, when passed the password by another application? RRS feed

  • Question

  • I have a somewhat convoluted question involving FIM.  I know very little about FIM, but we are thinking of deploying it at our University to hopefully help deal with some potential EFS problems.  At our school our AD infrastructure is a spoke instead of the normal hub.  We are getting ready to deploy EFS using PKI, but we are concerned about the fact that our users do not change their AD passwords through AD.  The passwords are set through an IDM solution that then gets propagated out to all the other applications such as Banner, Luminis and AD.  That normally works just fine for us, except that when we implement EFS changing the password with that method will break the EFS certificates, causing users to lose access to their docs until we restore their key.  

    So my question is ... can FIM, or one of its components, take passwords from another application, such as our IDM solution, and then use that to change the users password in AD, all the while preserving their EFS chain so users retain access to their EFS documents?  I know that part of retaining the EFS chain with passwords is having users enter their old password so they can enter their new password and I know FIM has that option too.  It would be really nice though if it could take passwords from other applications and allow us to use EFS.  If that is not possible, can anyone recommend a possible solution?  Thanks in advance.


    Über Random

    Friday, November 9, 2012 6:46 PM

Answers

  • On Fri, 9 Nov 2012 18:46:43 +0000, Uber Random wrote:

    That normally works just fine for us, except that when we implement EFS changing the password with that method will break the EFS certificates, causing users to lose access to their docs until we restore their key.

    This really should not be the case. A password reset only breaks access to
    DPAPI protected material in a workgroup environment, and not in a domain
    environment. In a domain, DPAPI protected material is protected by two keys,
    one based on user logon information, like in a workgroup, and one based on
    a private key held by the domain controllers. When a password reset is
    performed in a domain, access to the protected material is not possible
    with the first key, but is with the second. Once access to the protected material is gained by using the domain controller's key, a new master key is generated using the user's updated logon information.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Protect your software at all costs -- all else is meat.




    • Edited by Paul Adare Saturday, November 10, 2012 2:39 AM
    • Marked as answer by Uber Random Tuesday, November 13, 2012 12:06 AM
    Saturday, November 10, 2012 2:37 AM

All replies

  • Hi-

    AD requires the old password in the ChangePassword call. So, if you use FIM to do a reset then it won't help you. Your IDM solution really needs to pass password changes back to AD as a change not a reset.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, November 9, 2012 10:43 PM
    Moderator
  • On Fri, 9 Nov 2012 18:46:43 +0000, Uber Random wrote:

    That normally works just fine for us, except that when we implement EFS changing the password with that method will break the EFS certificates, causing users to lose access to their docs until we restore their key.

    This really should not be the case. A password reset only breaks access to
    DPAPI protected material in a workgroup environment, and not in a domain
    environment. In a domain, DPAPI protected material is protected by two keys,
    one based on user logon information, like in a workgroup, and one based on
    a private key held by the domain controllers. When a password reset is
    performed in a domain, access to the protected material is not possible
    with the first key, but is with the second. Once access to the protected material is gained by using the domain controller's key, a new master key is generated using the user's updated logon information.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Protect your software at all costs -- all else is meat.




    • Edited by Paul Adare Saturday, November 10, 2012 2:39 AM
    • Marked as answer by Uber Random Tuesday, November 13, 2012 12:06 AM
    Saturday, November 10, 2012 2:37 AM
  • On Sat, 10 Nov 2012 02:37:06 +0000, Paul Adare wrote:

    In a domain, DPAP protected material is protected by two keys

    For details:

    http://msdn.microsoft.com/en-us/library/ms995355.aspx

    Key Backup and Restoration in DPAPI


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Don't let the computer bugs bite!

    Saturday, November 10, 2012 10:26 AM
  • Thank you for the information.  I think I mis-communicated my question earlier.  We haven't actually deployed EFS across our domain yet and and as such we haven't had any broken EFS certs yet.  I was posing the question in anticipation of deploying EFS in the near future.  

    The reason for my question was I went to an AD training two weeks ago and our instructor had mentioned that having an Admin reset the password would break EFS encrypted documents, encrypted Outlook email and would cause cached IE passwords to be lost.  He didn't mention the workgroup portion, so it looks like either he gave us incorrect information or I may have missed something in the translation.  

    Either way I am glad to know that resetting passwords through our IDM solution will not break the EFS encryption for our users and that we won't need to purchase FIM after all.  Thank you again.


    Über Random

    Tuesday, November 13, 2012 12:06 AM