Skip to main content

Windows / Active Directory Integration - Hitachi ID Password Manager

Triggering Password Synchronization

Native password changes made on Windows servers and domain controllers can trigger transparent password synchronization.

Updating Cached Credentials

After a password change with a web-based password management system, the cached credentials on a user's PC will be different than the user's new domain password:

  • When a user signs into Windows, Windows stores his domain login ID and password in a cache in memory and in the registry.

  • When the user signs into other Windows resources (e.g., shares, printers, Outlook/Exchange mail boxes, IIS web sites), Windows first tries its cached domain password and, if this fails, Windows prompts the user to type the correct password.

  • If the user changes his domain password from the PC with the Ctrl-Alt-Delete process, Windows updates both the domain password and the locally cached password -- there is no problem.

  • If the help desk, another PC or a web application changes the user's password on the domain, then the cached password on the user's PC will be wrong. Subsequent attempts by the user to access network resources will cause the OS to provide the (wrong) cached password, will fail and will increment the user's "failed login attempts" counter. This pattern of activity can ultimately trigger an intruder lockout for the user.

  • Intruder lockouts feed back to the help desk as increased call volume.

If a user signs off and back-on after a web-based password change, the Windows cache is refreshed and the intruder lockout problem described above is averted. This approach is not user friendly, however.

To eliminate this problem without forcing users to sign off and back on, Hitachi ID Password Manager includes an ActiveX component that can silently update the user's Windows password cache after a web-based password change.

The cache-updating ActiveX component works on Windows XP, Vista and 7 PCs.

Read More:

page top page top