HyperSync Panel supports Password Synchronization between directories. In most cases, passwords are sourced from Active Directory during a password reset. Password Synchronization is architected to meet the following requirements:
- Strongly encrypted passwords end-to-end
- Highly available solution so passwords are not dropped, e.g. during patching
- Passwords not transmitted to the hosted Identity Panel web application
- Support for multi-directional synchronization scenarios (multi-mastery allows passwords to be reset from any domain)
- Cross-forest synchronization without requiring domain trust relationships
- Scoped source and target filtering rules, e.g. to protect high importance accounts
- Ability to write passwords to disabled account targets (e.g. if the target has been disabled for dormancy reasons)
Password Sync Pre-Requisites
SoftwareIDMs Password Filter has the following pre-requisites:
- Microsoft .Net Framework 4.8.X must be installed on the domain controller.
Password Sync Components
SoftwareIDM's Password Sync solution has the following components:
- Identity Panel providers identifying password sources (typically Active Directory Providers) and targets (may be a range of directory types, but AD is most common)
- (optional) Filter rules indicating which source and target accounts are in-scope for synchronization
- Identity Panel Join Rules linking accounts together to associate the same user in different directories
- Active Directory Password Filter dlls to be installed on all domain controllers (called
SoftwareIDMPasswordFilter.dllandSoftwareIDM.PasswordSync.dll) Configuration file to be placed on all domain controllers (called
SoftwareIDMPasswordSyncConfig.json) identifying a priority list for which Panel Services should receive passwords. The content of this file is created automatically on deployment, and conforms to the following construct:{ "myPanelServer1.mydomain.com": "https://myPanelServer1.mydomain.com:443", "myPanelServer2.mydomain.com": "https://myPanelServer2.mydomain.com:443", ... }- Panel Service embedded web-service that listens on HTTPS for password requests from a domain controller and writes the password to target domains and directories.
Password Data Flow
When a user resets their password, or a password is otherwise received by a domain (e.g. from AADC password writeback when a user resets their password in Microsoft Entra) the following process occurs:

- The Domain Controller passes the password through each installed password filter dll.
- The SoftwareIDM Password Filter goes through a priority list of Panel Service recipients and attempts to transmit the password to a Panel Service listener. After successful transmission, the Password Filter returns a success status.
- On receiving a password and validating the transmitter is a trusted domain controller, Panel Service:
- Hashes the password and username to perform a lookup in a list of all passwords synchronized within the last five minutes (this allows loop detection/breaking to enable password multi-mastery).
- Sends the username and source domain to the Identity Panel web application to query for a list of valid required password targets.
- Uses provider settings to connect to each target and write out the password.
- Logs history tracking details to Identity Panel.
High Availability
To achieve high availability, an installation must include at least two, and preferably three, Panel Service instances as a target for each domain controller.
Cross-Forest
Domain controllers use integrated windows authentication to connect to Panel Service, and Panel Service must validate that the caller is a trusted domain controller. For this reason, Panel Services must be installed either in the same forest or in a forest with a full transitive trust as the calling domain controller.
Because Panel Services may connect to a target domain with explicit credentials, it is not necessary that the target domain trust the domain where Panel Service is installed.
Full untrusted, cross-forest, multi-directional password synchronization can be achieved by installing a set of Panel Services within each set of mutually trusting AD forests.
Comments
0 comments
Please sign in to leave a comment.