My operations team was tasked with implementing a single sign-on solution for several disparate authentication systems. I was personally tasked with developing a solution to:
- enforce a custom set of password complexity requirements within the Active Directory domains to ensure password compatibility between the multiple systems
- synchronize passwords between two Active Directory domains
- synchronize authentication metadata from the Active Directory domains, such as last password change, with a Sun Directory Server
After considerable research, and with help from my colleague, I developed a solution. Using the Windows Password Filter mechanism I was able to hook into the password change process for the two Active Directory domains. With this hook in place I was able to accomplish all three tasks noted above. The hook would allow me to access a plain-text copy of the password for enforcing custom complexity requirements. A plain-text copy of the password was also needed to push the password to the other Active Directory domain. This was accomplished using standard LDAP operations. Once the password was successfully “replicated” the authentication metadata would then be pushed to the Sun Directory server using standard LDAP operations.
For additional details see the two attached screenshots below.