Password Filter


The Cymmetri Architecture without the password filter utility allows for one-way synchronization of passwords from Cymmetri to managed applications like Active Directory. Active Directory passwords may therefore be updated, once the user password is updated in Cymmetri.

However, to keep both the Cymmetri database and Active Directory user passwords in synchronization, there is a need for Cymmetri database to receive password change notification from the Active Directory, when the password is directly updated in Active Directory.

Active Directory provides for the use of Password Filter which can intercept the request for password change and can make an API call to Cymmetri to update the password in Cymmetri database as well.

Flow Diagram

Flow Description

  1. Cymmetri Password Filter dll will be deployed in the Active directory environment and system variables (environment variables) are configured to allow the password filter to connect to the Cymmetri deployment.

  2. Active Directory server needs to be restarted once the configuration is performed.

  3. Once the user changes the password on a domain-connected computer using Ctrl+Alt+Delete utility OR if the Active Directory administrator resets the user's password using Active Directory tools, the password filter will be triggered.

  4. The password filter DLL will receive the username and the plaintext password from the Active Directory, once the password change has been applied on the Active Directory.

  5. The password filter DLL will encrypt the password using RSA encryption with a public key and will send the encrypted password and the username to the Cymmetri deployment using a REST API call over HTTPS.

  6. The Cymmetri deployment receives the username and encrypted password, it decrypts the password using private key.

  7. Once the password is decrypted, the Cymmetri deployment updates the password in Cymmetri database for the given user.

  8. If the user is assigned multiple applications for provisioning, the action of updating user's password in Cymmetri database will trigger password update for the user in other provisioned applications. However, Active directory application will not receive this password update, to avoid loops.






Authorization: Bearer <token-from-api-client>




<path of public key file in Active Directory Server>

Steps for deploying Password Filter DLL

  1. Download the dll file and the public key file from here - CPFv308.dll - public.pem -

  2. Place the CPFv308.dll file in the C:\Windows\System32 folder.

  3. Run regedit and go to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  4. You must now see a page similar to this:

  5. Select the element Notification Packages and double click it

  6. Add the line “CPFv308” and Click on OK to save the registry entry.

  7. Exit the registry editor.

  8. Save the public.pem file to any directory and note the name of the directory. Ex - C:\Users\Administrator\Desktop\public.pem

  9. For testing the deployment, Login into the Cymmetri portal as an administrator and note the application ID of the Active Directory application configured for provisioning. Ex - 69125912519fb123

  10. Also, create a new API client.

  1. Click on renew secret and note the bearer token generated.

Ex - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJOZXcgQVBJIENsaWVudCIsInRlbmFudCI6IjI3NyJ9.L_q7I4MFcZSFXetdSvzD7hxvfcSrUUaJEkwhUTfHgus

  1. Go to Control Panel > System > Advanced System Settings and click on environment variables.

  2. Add the following System variables.

    1. Key = CYMMETRI_APP_ID; Value = <application-id-of-active-directory>; Example = 6015991fdfeab12c

    2. Key = CYMMETRI_CLIENT_TOKEN; Value = Authorization Bearer <token-from-api-client>; Example = Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJOZXcgQVBJIENsaWVudCIsInRlbmFudCI6IjI3NyJ9.L_q7I4MFcZSFXetdSvzD7hxvfcSrUUaJEkwhUTfHgus

    3. Key = CYMMETRI_ENDPOINT_URL; Value = <domain>/apiext/api/password/filter/updateUserPassword; Example =

    4. Key = CYMMETRI_PUBLIC_KEY_FILE; Value = <path of public.pem file>; Example = C:\Users\Administrator\Desktop\public.pem

  3. Save the environment variables.

  4. Create a folder as C:\passfilter_logs to store the logs.

  5. Take a restart of the Active Directory Server.

Configuring Password Filter in Cymmetri

  1. Navigate to the Configuration Menu.

  2. Look for the Password Filter option in the Configuration Menu.

  3. Once on the page click on "+Add New" button

  4. This will open the configuration page, You should find a toggle button to enable the Password Filter. Turn it on to enable the filter.

  5. Once the Password Filter is enabled, you'll need to choose the filter type.There are two options: "Include" and "Exclude."

    1. "Include" means that only the applications selected in the included applications dropdown will receive synced passwords and have their passwords changed correspondingly.

    2. "Exclude" means that all applications except the ones selected in the excluded applications dropdown will receive synced passwords and have their passwords changed correspondingly.

  6. Next you select the Filtered Application this is usually the managed application where the password changed has happened which in this case is Active Directory

  7. Next, determine which type of authenticator you want to use for password synchronization.

    • You typically have three options: Cymmetri Authenticator, AD (Active Directory) Authenticator, or LDAP (Lightweight Directory Access Protocol) Authenticator.

    • Choose the appropriate authenticator based on your requirements and configuration.

  8. After completing the above steps, make sure to save your configuration settings.Click on the "Save" button to save your changes.