The password interface is similar to the export interface, but it has more methods to implement. This interface is used when PCNS synchronizes passwords to directories or when called directly through the WMI interfaces.

If your connected directory does not store its own passwords, then you should not implement this method. This interface is only relevant when your directory stores a copy of the user's password.

Open and Close password connection

These are similar to the open and close methods for import and export. One key difference is that the sync engine keeps a connection open for while in case another password is received. When a password is received, the open connection method is called. But after the password has been set in the target, the sync engine does not call close immediately. Instead, it keeps the connection open and when another password is received, it calls put password without doing an open first. It is only if it has not received another password for a while it calls the close connection method.

For very large environments and some systems, reusing a connection improves the performance significantly. In fact, this behavior was introduced for the Generic WebService connector and password sync to SAP. For very large customers (100,000 and more users), SAP was not able to keep up when the connection was opened and closed for every password.

For this reason, you should not try to implement the open/set/close logic in a single method.

If there is a problem establishing the connection, an exception should be thrown.

Sub OpenPasswordConnection(configParameters, partition) Sub ClosePasswordConnection()

Set and change password

These two methods are used to actually set the password in the target system.

Sub SetPassword(csentry, newPassword, options)

Sub ChangePassword(csentry, oldPassword, newPassword)

Set password is the most common method that is used. This is the method PCNS calls when a password should be synchronized to another system.

Change password is not used by anything delivered from Microsoft. It is exposed through WMI and you would have to create your own solution if you want to use it. In MIIS2003 there was a sample web portal that used this method to allow a user to change passwords in different target directories and where the password policy was different so PCNS couldn't be used. Requiring users to remember different passwords for different systems is quite uncommon today and I have not seen this method used in real life for a very long time.

These methods can also get options passed in. These are:

  • None
  • ForceChangeAtLogOn
  • UnlockAccount
  • ValidatePassword

These can be passed in on the WMI interface. The main reason these are here is that the ADMA uses these. The FIM/MIM SSPR (self-service password reset) portal is setting the password using this interface on the built-in ADMA and it sets UnlockAccount and ValidatePassword.

These options are supposed to implement the following logic:

  • ForceChangeAtLogOn The password must be changed by the user on first sign in. If the password has been set by an administrator, then this is set so the user is forced to change it.
  • UnlockAccount If the account in the target directory is locked out due to many failed password attempts, then also unlock the account when the password is reset.
  • ValidatePassword In AD when an administrator sets a new password, password history and some of the password policies are ignored. When this option is set, the connector should treat the password operation as if it was an end user request (think of SSPR). In this case, the password policy should be enforced. Otherwise, SSPR could be a way around the requirement to change passwords to a new password periodically.

If there is a problem setting the password, then you should throw an exception. There are several built-in exceptions to use for this situation:

  • AccessDeniedException
  • BadServerCredentialsException
  • DroppedConnectionException
  • OldPasswordIncorrectException (for change password)
  • PasswordExtensionException
  • PasswordIllFormedException
  • PasswordPolicyViolationException

Password security level

This method should return either secure or NotSecure to indicate if the password transport is over an encrypted channel to the target directory.

Function GetConnectionSecurityLevel() As ConnectionSecurityLevel

This setting works together with the password management setting on configure extension. The default setting is that unless you say that your connection is secure, then your connector does not receive any passwords from PCNS.

Require secure connection

Require secure connection