Pages

6/29/2010

Google Password Sync

Want to sync your Active Directory passwords to Google Apps? No problem.
There is a great tool in the Google Code repository. Hashing Password Filter
This code creates a SHA1 hash of the user’s password and puts it into a attribute field whenever a users password is changed.


A couple things need to happen


1) You need to create an attribute field to house the password hash for the user
2) The password filter needs to be installed on all Domain controllers, but can be installed on one to test with.
3) Complex passwords need to be enabled in the Group Policy
  • Download the filter (depending on your domain controller setup, 32 and/or 64bit versions)
  • Download the Google Data APII (http://code.google.com/p/google-gdata/downloads/list)
  • Install the Google Data API on each domain controller
  • Create the attribute “hashedPassword” (type: Case Sensitive String) with AD Scheme Editor
  • You need to create a x500 OID also. Use this tool to figure out and OID (http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06 )
  • Once the attribute is created copy “HashingPasswordFilter.dll” into C:\Windows
  • Import the registry key, “HashingPasswordFilter.reg”
  • You will also need a user to update the users in AD, we already had a user we used for our scripts, but you need Allow log on locally and log on as a batch job.
  • Edit ini file with login information, copy to “C:\Documents and Settings\All Users\Application Data”, make sure it is readable only by administrators
  • Copy “GoogleHashUpdater.exe” to the process path specified in “HashingPasswordFilter.ini”
  • Edit Group Policy under password policies to make sure Complex Passwords are enabled (this is required)
  • Reboot Controller.
  • You can confirm the install worked by Checking the log file “C:\Documents and Settings\All Users\Application Data\HashingPasswordFilter.log”
  • Also, you can check System Information to make sure the module is loaded.
Once a user changes their password it will update the “hashedPassword” attribute for that user. Also the GoogleHashUpdater should go update the user too. (We aren’t using that yet, a few bugs still with that)
Currently we are syncing passwords nightly, users login via Single Sign-on (CAS by Jasig) so passwords aren’t too important at the moment, only for IMAP and Mobile Syncing.


REMEMBER!!!
Install on all Domain Controllers or it won’t work properly.

Google Forum Thread

7 comments:

  1. I know this is an old post, so I hope you'll indulge me.

    I have 2 Win2008 server Domain Controllers. I've installed all the gear as listed above. I go to change my password and receive the following message:

    [2011/11/02 20:00:44:748]:Write permission for user syncAppUser set
    [2011/11/02 20:00:44:919]:Changed password for user "dscott"

    Excellent.

    However, in my event log, I'm receiving:
    Faulting application GoogleHashUpdater.exe, version 1.0.0.0, time stamp 0x4c46e24a, faulting module KERNEL32.dll, version 6.0.6002.18449, time stamp 0x4da47b2f, exception code 0xe0434f4d, fault offset 0x00000000000170cd, process id 0x%9, application start time 0x%10.

    And - of course - my Google apps password was not updated.

    I see at the closing of your post that "we aren't using that yet, a few bugs still with that". Is his one of the bugs? Should I just invoke the Google Apps Sync?

    ReplyDelete
  2. Mike - Can I contact you regarding a couple questions I have about this post? peter@nowjt.com

    ReplyDelete
  3. @David

    I haven't really had any experience with the win2008 yet, but I heard of some registry config issues from another person. I leverage both the changes and the google apps sync to ensure the password is updated. Is it writing the hash properly in AD?

    @Peter

    I sent you an email.

    ReplyDelete
  4. Mike,

    When using Google Apps Sync - I have an option to add a "Password Changed Time Attribute" (along with the hashedPassword). I can't simulate a sync without it. Did you add this attribute to AD?

    ReplyDelete
  5. @David, I did not add "Password Changed Time Attribute", I don't remember seeing that. I'll check my GADS tomorrow

    @everyone
    Please see new blog postseveryone

    http://blog.mosheldon.com/2011/11/google-password-sync-windows-server.html

    ReplyDelete
  6. Anyone ever see this series of errors for password change:


    2011/11/20 02:08:55:260]:Setting write permission for user \\domain\accountName
    [2011/11/20 02:08:55:260]:LookupAccountName() failed. Error 1332

    [2011/11/20 02:08:55:260]:Unable to set write permission for user \\domain\accountName, the log could be incomplete from now on
    [2011/11/20 02:08:55:276]:Error during ldap_simple_bind: Invalid Credentials
    [2011/11/20 02:08:55:276]:Change failed for user "test6"

    When we extended the scheme to attribute to hold changed password, we named it slightly different then the recommended "hashedPassword” name - I wonder if that is involved?

    I am running this with accounts that are domain admins on the AD side and Google Apps side.

    Thanks.

    ReplyDelete
  7. Two things here.

    One, it looks like you are either missing or don't have a user in the ini file for doing look up's in ad.

    Two, the dll is compiled to use "hashedPassword" if you used something different you'll need to recompile the source with the changed attribute or change your AD attribute.

    If you want you can email me the ini and i'll take a look at it.

    ReplyDelete