Novell Home

My Favorites

Close

Please to see your favorites.

What determines the Status of the Filter in the IDM PassSync

This document (3976631) is provided subject to the disclaimer at the end of this document.

Environment

Novell Identity Manager Password Synchronization
Novell Identity Manager Driver- Active Directory Driver

Situation

The Identity Manager PassSync interface under the Control Panel can show four statuses. Installed, Not-Installed, Installed-Needs Reboot, and Running. How does it determine which one to show.

Resolution

To show the proper status, the IDM PassSync interface does a remote registry read from the machine where the driver runs. The registry read and other actions are done based on the rights of the logged in person doing the actions in the IDM PassSync interface.  Always make sure that the person checking the IDM PassSync interface in Control panel is logged into the server with Domain Admin rights.

It does the following checks:

1 - The remote registry read is done to the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It does a query of the value "Notification Packages". The query looks for the text "PWFILTER". If it is not there, or if the logged in user does not have rights to the remote registry, IDM shows the filter as "Not Installed". Once it is detected, it changes to Installed-Needs Reboot. The server must be rebooted at this point because changes to the Lsa key are only read at startup.

- Note: If after a reboot of the system, the filter still shows as Installed-Needs Reboot but PWFILTER exists, then there may be a rights issue to the registry key. Grant both the Authentication ID user (from the AD driver properties) and the user logged into the server, supervisor rights to the HKLM\SOFTWARE\NOVELL\PwFilter key and it's sub keys (the Data key).  Also, the user logged into the system must have file access rights to the system32 directory to copy in the files (pwfilter.dll and psevent.dll).  Finally, if it seems like it is stuck on Installed-Needs Reboot, then reboot the system, remove the filter in the Control Panel applet, then reboot again.  It should change to Not Installed.  Then add it back in the Control Panel applet to where it says Installed-Needs Reboot. Then do a final reboot of the system.

2 - If PWFILTER is there and the proper rights exist, the Password Sync agent looks for a "Host Names" entry in the HKLM\SOFTWARE\NOVELL\PwFilter key. If it is missing or is pointing to an incorrect host name (or sometimes if it has multiple host names), it will show the status"Installed". DNS problems with the entry may also cause the status to show "Installed".

3 - When you either push the remote loader out or install it locally on the domain controller, the install should also copy a PWFILTER.DLL over to the <windir>\system32 directory. Sometimes the remote push fails to copy over the pwfilter.dll to system32. This is normally due to a lack of rights of the person logged in that is running the applet.
 
4 - If the PWFILTER.DLL file on a Domain controller is older than the PWFILTER.DLL file on the system running the remote loader, the status will be "Outdated"  Please update all the Domain Controllers with the latest PWFILTER.DLL.  After doing this make sure that the updated Domain Controllers have been rebooted.
 
5 - A status of "Unknown" will show up if the registry in the Domain Controller cannot be accessed or updated.  Clicking on the "Properties" tab for that Filter will give a message Access is denied.  Several things can cause this.  Under Services of the Domain Controller, the "Remote Registry" service must be started.  Another reason is where the user logged into the Remote Loader machine running the PassSync applet does not have rights to read or modify the registry on the other Domain Controller.

6 - If the "Host Names" entry is correct, and the pwfilter.dll file is in place, the status will change to "Running".

- Note: If you choose to remove the filter in the Password Sync Applet, you must reboot the server where the filter was removed. This is so that the server will correctly clean up the PWFILTER entry in the Notification Packages line of the Lsa key. If a filter has been removed and re-added, always to a reboot of the server to make sure that any run-once commands are cleared out.

- Note: If the filter seems to be stuck in an "Installed - Needs Reboot" state and all the above settings seem to be correct, check to see if the following registry settings exist:  "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc"  RestrictRemoteClients"=dword:00000001  and/or EnableAuthEpResolution"=dword:00000001.   With these registry settings in place RPC is restricted and will cause the filters to be stuck in a Needs Reboot state.  Disable or delete these registry settings.
This registry entry may also be 2 rather than one depending on how it was set.  To change it without going into the registry, go into Group Policy Editory (gpedit.msc) and choose Computer Configuration, Administrative Templates, System, Remote Proceedure Settings.  There is an option there called "Restrictions for Unathenticated RPC clients".  If the option is set to Enabled, Pwfilter will not work.


Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3976631
  • Creation Date:08-MAY-07
  • Modified Date:13-JUN-13
    • NetIQIdentity Manager

Did this document solve your problem? Provide Feedback