Note: A restart of the domain controller is necessary after the install.
- Copy the files to each of the domain controllers in which password resets could happen on
- Right click and run as administrator on exe (use the 32 bit one if server is 32 bit).
This message displays:
Fresh Install
Welcome to MS Password Filter WebService Agent Installer
You can modify any of these values after installation by editing the ADConf.ini file.
==================================================================
AD Filter Target
Enter '1' if the AD Filter is local to the Identity Server
or '2' if the AD Filter is remote and can talk to the
Identity Server via the Global Identity Gateway:
- Select the AD Filter Target by entering 1 if the AD filter is local to the Identity Server or 2 if the AD filter is remote and communicates with the Identity Server via the GIG.
- Enter 2
- When prompted for the Server Address of the IPM Web Server/GIG (depending upon the selection in step 2), enter this information:
- Enter yourdomain.edu:443,gig.yourdomain.edu:443
- When prompted for the three character organizational code of the organization where the AD Filter is being installed, enter the code.
- Enter ABC
- When prompted to enable SSL, enter y if the Identity Server/GIG is configured for SSL or enter n if it is not configured for SSL.
- Enter Y
Note: For SSL to work, the Root CA certificate of the SSL-enabled Identity Server/GIGs must be imported into the keystore of the Windows Server where the AD Password Sync Agent is installed.
- When prompted for the name of the AD server, enter the name exactly as shown in the Identity Admin UI Connected Systems page for the Active Directory If the AD system is being shared by multiple organizations and the system name is different for each, enter them in a comma delimited format.
- Enter “Active Directory”
- The name of the attribute that is mapped to the Account_ID column within the FISC_USER_ACCOUNT table.
- 1 if attribute name is distinguishedName,
- 2 if attribute name is samAccountName,
- 3 if attribute name is userPrincipalName.
- Enter 3
- When prompted for Audit Level, enter one of these levels:
- INFO Audit both error and information.
- When prompted for the Total number of threads, enter the size of the thread pool to use to send password change requests to the Identity Server/GIG. A value of 10 is recommended. For high volume password resets on the domain controllers, set this to a maximum of 50.
- Enter 10
- When prompted for the Send request retry interval, enter the number of seconds to wait before retrying a failed password change request. The valid range is 0 to 300 seconds. A value of 15 seconds is recommended.
- Enter 15
- When prompted for the Send request retry count, enter the number of times to retry sending a failed password change request to the Identity Server/GIG. The valid range is 0 to 10. A value of 3 is recommended.
- Enter 3
- When prompted to Enter Service Account User Name, enter the username for our service account in form of Domain\username.
- Enter the password of this user
- Re-enter the password of this user
Once the domain has been registered, you can test communication by going into ADUC on the domain controller and reset a user password. Then in Event View you can see under applications if it failed to communicate.
Additional Note: After Restart it is recommended that you go into the Service and set this as Automatic –Delayed Start for the startup operation since it connects to a domain account which may take a little time to get up.
*NOTE: If the GIG certificates are signed by Fischer, then the Fischer Root CA certificate will need to be imported as a “Trusted Root CA” on each server the AD Password Filter is installed. The default location for the Fischer Root CA certificate, is in the “C:\FischerInstalls\Certs\” folder named “fica2 PublicRoot.cer”. If you can’t find it there please contact the Fischer.