ENTSSO Password Synchronization

In an Enterprise Single Sign-On (ENTSSO) environment, password synchronization ensures that users' passwords on different platforms are in sync and automates the distribution of user- or administrator-initiated password updates. In environments that don't have automatic password synchronization, users can use the same password on every platform, but you have to update the ENTSSO and non-Windows credential databases manually whenever a user changes a password in Active Directory (AD) or in a non-Windows credential database. You then have to update all the credential databases. And all those updates have to be reflected in the databases as soon as possible, which can make a busy administrator's life difficult.

ENTSSO can work with different user passwords on different platforms (i.e., without password synchronization). But this strategy requires disciplined users and administrators: each time users update non-Windows passwords, they have to make sure that their changes are reflected in the ENTSSO database in a timely fashion.

Security-minded people often argue against password synchronization because of the "key to the kingdom" problem: If the passwords on all platforms are identical, breaking the password on one platform gives an attacker access to the other platforms. Synchronizing passwords also means that you need the same password policies on all platforms, which might also represent a compromise of security if one platform supports stronger password policies than the other platform does.

Bidirectional password synchronization between Windows and non-Windows environments is a feature of the Host Integration Server 2004 (HIS 2004) ENTSSO service. However, HIS 2004 ENTSSO doesn't include all the building blocks that are necessary for bidirectional password synchronization. HIS 2004 ENTSSO includes only a set of password-synchronization interfaces and the Password Change Notification Service (PCNS). Additional password-synchronization software is available from Proginet (http://eps.proginet.com), which supplies ENTSSO password-synchronization software called Enterprise SSO Password Synchronization (ePS). So far, Proginet is the only password-synchronization software vendor to provide an adapter-the ePS Controller, which uses the ENTSSO password-synchronization interfaces. For bidirectional password synchronization to work, non-Windows platforms require other Proginet ePS adapters. Proginet offers ENTSSO password-synchronization adapters for IBM's z/OS (includes adapters for IBM Resource Access Control Facility-RACF and Computer Associates' eTrust CA-ACF2 Security and eTrust CA-Top Secret Security), OS/400 (includes an adapter for IBM AS/400), IBM AIX, HP-UX, Sun Microsystems Solaris, and Linux. Web Figure 1 (http://www.windowsitpro.com, InstantDoc XXXXX) illustrates the password-synchronization building blocks and flow.

PCNS is an add-on for Windows AD servers that you can use to notify other servers of AD password updates. Possible PCNS targets are HIS ENTSSO servers or Microsoft Identity Integration Server (MIIS) 2003 servers. (PCNS will also be available as part of MIIS Service Pack 1-SP1-and the Identity Integration Feature Pack-IIFP-SP1.) You can configure one PCNS service to serve multiple targets, but you must install PCNS on every domain controller (DC) in a Windows domain. PCNS consists of three pieces of software:

  • lsass.exe-a password filter DLL that obtains a cleartext copy of the updated or newly created password from a DC's Local Security Authority (LSA)
  • the PCNS service, which receives the password-change notifications from the local password filter, queues them, and sends them to the target system
  • the PCNS configuration utility, which can update the PCNS configuration data stored in AD
  • You can configure HIS ENTSSO password synchronization three ways:

  • Windows to non-Windows full synchronization, which captures the AD password changes and synchronizes both the non-Windows and the ENTSSO credential databases
  • non-Windows to Windows partial synchronization, which captures the non-Windows password changes and synchronizes only the ENTSSO credential database
  • non-Windows to Windows full synchronization, which captures the non-Windows password changes and synchronizes both the ENTSSO and the AD credential databases
  • You must install the ePS Controller on an HIS 2004 server. If you need to configure password synchronization between multiple Windows domains and a non-Windows environment, you have to deploy HIS 2004 ENTSSO ePS Controller servers in every Windows domain. In addition, if you have multiple HIS ENTSSO servers that serve the same domain, you must install ePS Controllers on every server. ePS Controller uses a system of replay files to provide fault tolerance for connection failures. You can also cluster ePS Controllers, which include intelligence to protect against password-update loops.

    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.