Pages

11/15/2011

Google Password Sync: Windows Server 2008

Alright! Finally, I sat down and decided to find out what the issues people were having with running the GoogleHashUpdater in Windows Server 2008.

My Current Test Setup: 
Windows Server 2008 R2 64bit 
Hashing Password Filter RC4 64bit
Google Data API 1.4.0.2 <--- Very Important!!!

1) You need to create an attribute field to house the password hash for the user
2) The password filter needs to be installed on all Domain controllers, but can be installed on one to test with.
3) Complex passwords need to be enabled in the Group Policy

  • Download the filter (see above)
  • Download the Google Data APII (see above)
  • Install the Google Data API on each domain controller
  • Copy the following files from the Google Data API installation folder "C:\Program Files (x86)" to "C:\Windows" of each domain controller:
    • Google.GData.Apps.dll
    • Google.GData.Client.dll
    • Google.GData.Extensions.dll
  • Create the attribute “hashedPassword” (type: Case Sensitive String) with AD Schema Editor
  • You need to create a x500 OID also. Use this tool to figure out and OID (http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06 )
    • Copy the script
    • Open Notepad, Paste
    • Save as oid.vbs
    • Run oid.vbs
    • Prompt gives base OID, and explains adding a number for a attribute
  • Once the attribute is created copy “HashingPasswordFilter.dll” into C:\Windows
  • Import the registry key, “HashingPasswordFilter.reg”
  • Enable Logging for Debugging
    • HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Fusion
      • DWORD "EnableLog" = 1
  • You will also need a user to update the users in AD, we already had a user we used for our scripts, but you need Allow log on locally and log on as a batch job.
  • Edit ini file with login information, copy to “C:\ProgramData”, make sure it is readable only by administrators
  • Copy “GoogleHashUpdater.exe” to the process path specified in “HashingPasswordFilter.ini”
  • Edit Group Policy under password policies to make sure Complex Passwords are enabled (this is required)
  • Reboot Controller.
  • You can confirm the install worked by Checking the log file “C:\ProgramData\HashingPasswordFilter.log”
  • Also, you can check System Information to make sure the module is loaded.
  • You can open command prompt and run "GoogleHashUpdater.exe" to confirm it's working. If it crashes, make sure you have Logging Enabled. Once you tell it to close program it will spit out an error of what is missing or erroring.
Once a user changes their password it will update the “hashedPassword” attribute for that user. Also the GoogleHashUpdater should go update the user too. (We aren’t using that yet, a few bugs still with that)
Currently we are syncing passwords nightly, users login via Single Sign-on (CAS by Jasig) so passwords aren’t too important at the moment, only for IMAP and Mobile Syncing.


REMEMBER!!!
Install on all Domain Controllers or it won’t work properly.


I hope this helps those who have been contacting me. I'm glad the solution was an easy fix. Let me know if you have anymore questions.

13 comments:

  1. Mike a couple comments:

    1) THANKS FOR TRACKING THIS DOWN AND POSTING IT.

    2) I don't see you mention the x64 .dll to place anywhere. I put both the GoogleHashUpdater.exe and GoogleHashUpdater.dll in the C:\PropgramData directory.
    INI line reads => processPath=C:\programdata\GoogleHashUpdater.exe

    3) I have no API libraries installed in the \windows\assembly folder. These are now \windows

    Here are the last few lines from the HashingPasswordFilter.log following a restart.

    Here's log entries from one 08 DC the other one I tested this on still is not starting (no log file?)

    ------------------------------------------
    [2011/11/11 01:15:11:546]:Starting HashingPasswordFilter
    [2011/11/11 01:15:11:546]:HashingPasswordFilter initialized
    [2011/11/11 01:47:45:921]:Starting HashingPasswordFilter
    [2011/11/11 01:47:45:953]:HashingPasswordFilter initialized
    [2011/11/17 05:44:57:828]:Starting HashingPasswordFilter
    [2011/11/17 05:44:57:859]:HashingPasswordFilter initialized
    ---------------------------------------

    thanks again.

    ReplyDelete
  2. I'm using the x64 HashingPasswordFilter.dll in the tutorial

    1) No problem.

    2) Copy “HashingPasswordFilter.dll” into C:\Windows
    If your processPath is C:\Program Data\GoogleHashUpdater.exe, then "GoogleHashUpdater.exe" should in C:\Program Data

    3) API Libraries should be placed in C:\Windows as you stated

    According to the Log you provided, the dll is loaded and running. Did you try to reset a user password? Once you reset a password it should comeback with "Reset password for *username*", then some Google Update entry.

    ReplyDelete
  3. Sorry to be a hassle on this one - You're referencing \Program Data in the INI and C:\ path.

    I only find %SystemDrive%\ProgramData (NO SPACE)

    As a result, I am using the \ProgramData VS. \Program Data in my INI.

    do you concur that there should be no SPACE between \ProgramData?

    ReplyDelete
  4. %SystemDrive%\ProgramData <-- This is correct, I'll correct my post.

    So no SPACE is correct

    ReplyDelete
  5. Mike,

    I see you have "very important" next to the Google Data API 1.4.0.2 api. I had already downloaded and installed 1.9.0.0. Are you saying this won't work with the 1.9 release?

    ReplyDelete
  6. In my initial test, 1.9 would not work. If you use 1.4.0.2 the updater works properly.

    ReplyDelete
  7. I'm at the point where the hashedPassword DLL is creating hashes and inserting them into the hashedPassword attribute for my users, but the Google Apps API is failing (even after downgrading to 1.4.0.2). I've taken a look at the credentials on for the google apps admin in my hashedpassword ini, and it has the ability to manage my domain. Any ideas where to look?

    ReplyDelete
  8. Enable Debugging

    Enable Logging for Debugging

    HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Fusion
    DWORD "EnableLog" = 1


    Open the Command Prompt, Drag the Updater executable in to the CMD, press enter. Close Crash window, and the CMD should show an error.

    ReplyDelete
  9. Mike,

    Just a follow up - turns out my problem on Google Apps Updater was an incorrect google domain in my INI file. I never could get the trick of dragging the updater to the cmd window to work. But I did figure it out, nonetheless. Works great.

    ReplyDelete
  10. Mike,
    Great post is there anything else you need to do with the hashedPassword attribute?
    Do you need check Index this Attribute or Replicate this attribute to the Global Catalog?

    ReplyDelete
  11. The only thing I have checked is "Attribute is active". I do not have "Index this Attribute" or "Replicate this attribute" checked.

    ReplyDelete
  12. Mike, do you know what would cause this error?

    [2012/03/26 20:18:24:734]:Starting HashingPasswordFilter
    [2012/03/26 20:18:24:750]:HashingPasswordFilter initialized
    [2012/03/26 20:21:44:718]:Setting write permission for user syncAppUser@sau3.org
    [2012/03/26 20:21:44:781]:Write permission for user syncAppUser@sau3.org set
    [2012/03/26 20:21:44:812]:Error during the modification of the entry with dn= CN=Test User,OU=Teachers,DC=sau3,DC=org: Object Class Violation
    [2012/03/26 20:21:44:812]:Change failed for user "tuser"

    It happens on 32 and 64 bit DCs all setup the same way you have in your article...

    ReplyDelete
    Replies
    1. Self-solved. I forgot to add the hashedPassword attribute to the user class. This is done through Active Directory Schema Editor. You go to classes, select 'user' go to Attributes, hit Add..., and select hashedPassword.

      Yay!

      Delete