000022101 - How does the Domain Agent Host get hold of the password on Microsoft Active Directory password resets?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022101
Applies ToRSA Authentication Manager 6.0.2
Microsoft Windows Server 2003
IssueHow does the Domain Agent Host get hold of the password on Microsoft Active Directory password resets?
Microsoft Active Directory password reset not picked up by Domain Agent Host
Password is saved to ACE Server Database when prompted after successful Domain windows login authentication
Domain Agent Host fails to capture password reset when performed on a Hardened Domain Controller and password is not stored in ACE Database
CauseThe DAH (Domain Agent Host) catches password changes done by the user and administrative resets and stores the new password in the ACE Database, this is done via a password filter, a standard API in Windows documented at the following URL:


A hardened DC doesn't catch the password changes if the password filter is not registered properly, Government Standard Hardening includes measures to "Prevent introduction of trojanised FPNWCLNT.DLL - Para 3.4.16" also see Security Issues That May Occur Due to the Way Windows NT Handles FPNWCLNT.DLL. Part of a hardening script could be deleting the appropriate registry key and making sure it cannot be created, an example of how this would have been achieved is:

echo y|reg delete "system\currentcontrolset\control\Lsa\Notification Packages"
reg add "system\currentcontrolset\control\Lsa\Notification Packages"="" REG_MULTI_SZ

This setting should only affect entries that already exist prior to the hardening script being run. If there are further hardening measures that restrict write permissions to this key then the the RSA password filter will not be registered properly.
ResolutionThe following registry value must be present for Password resets to be picked up:

    HKEYLocalMachine\system\currentcontrolset\control\Lsa\Notification Packages"="rsapwdfilt"

If the hardening script is performed after the Domain Agent Host is installed, then its registration of rsapwdfilt.dll may get erased. If the DAH is installed after the script is run, it should work. If it doesn't, check what's entered under that subkey. Agent trace log should show if it is loaded at all by the Local Security Authority (LSA).
Legacy Article IDa26832