What determines the Status of the Filter in the IDM PassSync
This document (3976631) is provided subject to the disclaimer at the end of this document.
To show the proper status, the IDM PassSync interface does a remote registry read from the machine where the driver runs. The registry read and other actions are done based on the rights of the logged in person doing the actions in the IDM PassSync interface. Always make sure that the person checking the IDM PassSync interface in Control panel is logged into the server with Domain Admin rights.
It does the following checks:
1 - The remote registry read is done to the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It does a query of the value "Notification Packages". The query looks for the text "PWFILTER". If it is not there, or if the logged in user does not have rights to the remote registry, IDM shows the filter as "Not Installed". Once it is detected, it changes to Installed-Needs Reboot. The server must be rebooted at this point because changes to the Lsa key are only read at startup.
- Note: If after a reboot of the system, the filter still shows as Installed-Needs Reboot but PWFILTER exists, then there may be a rights issue to the registry key. Grant both the Authentication ID user (from the AD driver properties) and the user logged into the server, supervisor rights to the HKLM\SOFTWARE\NOVELL\PwFilter key and it's sub keys (the Data key). Also, the user logged into the system must have file access rights to the system32 directory to copy in the files (pwfilter.dll and psevent.dll). Finally, if it seems like it is stuck on Installed-Needs Reboot, then reboot the system, remove the filter in the Control Panel applet, then reboot again. It should change to Not Installed. Then add it back in the Control Panel applet to where it says Installed-Needs Reboot. Then do a final reboot of the system.
2 - If PWFILTER is there and the proper rights exist, the Password Sync agent looks for a "Host Names" entry in the HKLM\SOFTWARE\NOVELL\PwFilter key. If it is missing or is pointing to an incorrect host name (or sometimes if it has multiple host names), it will show the status"Installed". DNS problems with the entry may also cause the status to show "Installed".
6 - If the "Host Names" entry is correct, and the pwfilter.dll file is in place, the status will change to "Running".
- Note: If you choose to remove the filter in the Password Sync Applet, you must reboot the server where the filter was removed. This is so that the server will correctly clean up the PWFILTER entry in the Notification Packages line of the Lsa key. If a filter has been removed and re-added, always to a reboot of the server to make sure that any run-once commands are cleared out.
Note: If you receive a, Error reading registry (5), or An error was encountered while querying for the status of the filter. (5) Access is denied, error when trying to install the password sync filter, then when you launch the Identity Manager PassSync sync control applet, right click and make sure you Run as Administrator, when launching it. Additionally, make sure the following registry settings are correct.
- In HKLM\Software\Novell\PassSync is a REG_DWORD value named 'Driver Machine' with number 0 in it. On the server running the driver (engine or RL server) this value should be 1.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3976631
- Creation Date:08-MAY-07
- Modified Date:25-NOV-15
- NetIQIdentity Manager
Did this document solve your problem? Provide Feedback