none
Can FIM sync AD passwords to a SQL Server table in encrypted form? RRS feed

  • Question

  • Hi Everyone - 

    In an access management scenario, a reverse proxy is being configured to protect access to a back-end application.  That application stores credentials in Active Directory, however the reverse proxy has its own credential store which happens to be a SQL Server table.

    When a user tries to access the application, the proxy intercepts the request and checks the user's form-entered credential against the SQL Server table credential - which is stored in encrypted format.  That credential matches the back end application Active Directory credential.

    Enter FIM

    The IT manager wants an easier way to manage/synchronize credentials in this scenario.  Is FIM able to synchronize credentials between the back end AD and the proxy's SQL Server credential store?  FIM would have to be able to extract the AD username and password and store the password in the encrypted form that the proxy expects ( a default encryption level that SQL Server provides out to the box).  Today, a stored procedure is used encrypt and store or retrieve that password.

    Questions:

    Is FIM able to provide this capability out of the box?

    If not, what developmental items should one expect working with which components of the FIM suite?

    Thanks for any feedback/thoughts!


    Friday, November 16, 2012 3:42 PM

Answers

  • Osho,

    If AD is the source of the password change/reset and the target is SQL, you should be able to use PCNS with the password sync component in FIM for this. You will have to build the SQL password extension DLL yourself. you can use this as a starting point. I have made these before SQL once, it wasn't that bad. I wasn't encrypting it at the time, you would have to add that but if you can around that, this should do the job for you...........

    Saturday, November 17, 2012 6:52 AM

All replies

  • Osho,

    If AD is the source of the password change/reset and the target is SQL, you should be able to use PCNS with the password sync component in FIM for this. You will have to build the SQL password extension DLL yourself. you can use this as a starting point. I have made these before SQL once, it wasn't that bad. I wasn't encrypting it at the time, you would have to add that but if you can around that, this should do the job for you...........

    Saturday, November 17, 2012 6:52 AM
  • Check this link.. It may help you.. :-)

    http://www.myitforum.com/absolutenm/templates/Articles.aspx?articleid=22093&zoneid=98

    Friday, January 4, 2013 11:41 AM