What determines the Status of the Filter in the IDM PassSync

  • 3976631
  • 08-May-2007
  • 26-Jan-2018

Environment

Novell Identity Manager Password Synchronization
Novell Identity Manager Driver- Active Directory Driver

Situation

The Identity Manager PassSync interface under the Control Panel can show several statuses. Installed, Not-Installed, Installed-Needs Reboot, Running, Outdated, and Unknown. Sometimes an error message will show.  How does it determine which one to show.

Resolution

To show the proper status, the IDM PassSync interface does a remote registry read from the machine where the driver runs. The registry read and other actions are done based on the rights of the logged in person doing the actions in the IDM PassSync interface.  Always make sure that the person checking the IDM PassSync interface in Control panel is logged into the server with Domain Admin rights.

It does the following checks:

1 - The remote registry read is done to the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It does a query of the value "Notification Packages". The query looks for the text "PWFILTER". If it is not there, or if the logged in user does not have rights to the remote registry, IDM shows the filter as "Not Installed". Once it is detected, it changes to Installed-Needs Reboot. The server must be rebooted at this point because changes to the Lsa key are only read at startup.

- Note: If after a reboot of the system, the filter still shows as Installed-Needs Reboot but PWFILTER exists, then there may be a rights issue to the registry key. Grant both the Authentication ID user (from the AD driver properties) and the user logged into the server, supervisor rights to the HKLM\SOFTWARE\NOVELL\PwFilter key and it's sub keys (the Data key).  Also, the user logged into the system must have file access rights to the system32 directory to copy in the files (pwfilter.dll and psevent.dll).  Finally, if it seems like it is stuck on Installed-Needs Reboot, then reboot the system, remove the filter in the Control Panel applet, then reboot again.  It should change to Not Installed.  Then add it back in the Control Panel applet to where it says Installed-Needs Reboot. Then do a final reboot of the system.

2 - If PWFILTER is there and the proper rights exist, the Password Sync agent looks for a "Host Names" entry in the HKLM\SOFTWARE\NOVELL\PwFilter key. If it is missing or is pointing to an incorrect host name (or sometimes if it has multiple host names), it will show the status"Installed". DNS problems with the entry may also cause the status to show "Installed".

3 - When you either install the remote loader locally on the domain controller, or install the password filter with the Password Sync Applet, the install should also copy a PWFILTER.DLL over to the <windir>\system32 directory. Sometimes the remote push fails to copy over the pwfilter.dll to system32. This is normally due to a lack of rights of the person logged in that is running the applet.   Verify that the PWFILTER.DLL and PSEVENT.DLL are in the <windir>\system32 directory.   If not, copy them over from the C:\Novell\IDM_PassSync\w32 or w64 directory on the remote loader server to the <windir>\system32 directory on the domain controller that is in a Installed-Needs Reboot state.

4 - If the PWFILTER.DLL file on a Domain controller is older than the PWFILTER.DLL file on the system running the remote loader, the status will be "Outdated"  Please update all the Domain Controllers with the latest PWFILTER.DLL.  After doing this make sure that the updated Domain Controllers have been rebooted.
 
5 - A status of "Unknown" will show up if the registry in the Domain Controller cannot be accessed or updated.  Clicking on the "Properties" tab for that Filter will give a message Access is denied.  Several things can cause this.  Under Services of the Domain Controller, the "Remote Registry" service must be started.  Another reason is where the user logged into the Remote Loader machine running the PassSync applet does not have rights to read or modify the registry on the other Domain Controller.

6 - If the "Host Names" entry is correct, and the pwfilter.dll file is in place, the status will change to "Running".

- Note: If you choose to remove the filter in the Password Sync Applet, you must reboot the server where the filter was removed. This is so that the server will correctly clean up the PWFILTER entry in the Notification Packages line of the Lsa key. If a filter has been removed and re-added, always to a reboot of the server to make sure that any run-once commands are cleared out.

- Note: If the filter seems to be stuck in an "Installed - Needs Reboot" state and all the above settings seem to be correct,  or if you are receiving a RPC error 0x00000005 error in the [PWD] remote loader trace, check to see if the following registry settings exist:  "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc"  RestrictRemoteClients"=dword:00000001  and/or EnableAuthEpResolution"=dword:00000001.   With these registry settings in place RPC is restricted and will cause the filters to be stuck in a Needs Reboot state.  Disable or delete these registry settings.
This registry entry may also be 2 rather than one depending on how it was set.  To change it without going into the registry, go into Group Policy Editory (gpedit.msc) and choose Computer Configuration, Administrative Templates, System, Remote Proceedure Settings.  There is an option there called "Restrictions for Unathenticated RPC clients".  If the option is set to Enabled, Pwfilter will not work.

Note:  If you receive a, Error reading registry (5), or An error was encountered while querying for the status of the filter. (5) Access is denied, error when trying to install the password sync filter, then when you launch the Identity Manager PassSync sync control applet, right click and make sure you Run as Administrator, when launching it. Additionally, make sure the following registry settings are correct.
-  In HKLM\Software\Novell\PassSync is a REG_DWORD value named 'Driver Machine' with number 0 in it. On the server running the driver (engine or RL server) this value should be 1.
-  In HKLM\Software\Novell\PassSync\Data is a REG_MULTI_SZ value named'Domains' with the name of the domain with password synchronization enabled in DNS format. For example 'novell.com' (without quotation marks).
-  In HKLM\Software\Novell\PwFilter is a REG_MULTI_SZ value named'Host Names' (without quotation marks). The DNS name of the server running the driver should be entered in here. For example, 'domaincontroller0.novell.com' (without quotation marks)
 
Finally, there is a new PassSync troubleshooting tool available to generate logs showing more detail.  This utility started shipping with IDM 4.5 and is found on the IDM 4.5 ISO under products/IDM/windows/setup/utilities/PassSyncTroubleshootingTool