We use Windows laptops with Active Directory as leading system, but also RACF / Mainframe, which retrieves the password from AD. The user should change the password in Windows using the "default" way with CTRL + ALT + DEL > "change password". Unfortunately, we see a few challenges we cannot solve:

1. How to show the User the password requirements that need to be fulfilled on the Change Password Screen? Most of modern websites can do this, but it seems Windows can't. We only found a workaround via a message that would also be shown on the lockscreen, which is not an option due to various security considerations.
2. RACF has different requirements than AD, e.g. does not support some special characters, same character cannot be 3 or more times in a row, etc... It seems, AD Policies cannot be configured on such a detailed level, so Users would always be able to set a password in AD, that they later cannot use on RACF. We did not find an option for AD to define a password policy, that would also be in line with RACF.

Since AD & RACF are both widely used systems, I would hope that somebody else has smart solutions for this. I am neither AD nor RACF expert, but in need to find a solution, since our experts say there is no solution for this :-)

We use Windows laptops with Active Directory as leading system, but also RACF / Mainframe, which retrieves the password from AD. The user should change the password in Windows using the "default" way with CTRL + ALT + DEL > "change password". Unfortunately, we see a few challenges we cannot solve:

1. How to show the User the password requirements that need to be fulfilled on the Change Password Screen? Most of modern websites can do this, but it seems Windows can't. We only found a workaround via a message that would also be shown on the lockscreen, which is not an option due to various security considerations.
2. RACF has different requirements than AD, e.g. does not support some special characters, same character cannot be 3 or more times in a row, etc... It seems, AD Policies cannot be configured on such a detailed level, so Users would always be able to set a password in AD, that they later cannot use on RACF. We did not find an option for AD to define a password policy, that would also be in line with RACF.

Since AD & RACF are both widely used systems, I would hope that somebody else has smart solutions for this. I am neither AD nor RACF expert, but in need to find a solution, since our experts say there is no solution for this :-)

• windows
• active-directory
• change-password
• racf

2 Answers 2

This is a common challenge when integrating AD with systems like RACF that have stricter password policies. Here’s a step-by-step approach to solve both issues:

1. Enforce RACF Password Policies in AD

To ensure passwords set in AD comply with RACF rules, you can use a custom password filter:

• Custom Password Filter DLL:
  Develop a custom password filter for AD that enforces RACF-specific rules (e.g., no repeating characters, restricted special characters). Microsoft provides a sample password filter to help you get started.

  • How it works: The filter intercepts password changes and validates them against RACF rules before allowing them in AD.
  • Example: Block passwords like Password!!! or AAAbbb123 if RACF disallows repeating characters or specific special characters.

• Deployment:
  Deploy the DLL to all domain controllers and register it in the registry under HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.

2. Communicate Password Requirements to Users

Since Windows doesn’t natively display password requirements on the change password screen, you can use these workarounds:

• Training and Documentation:
  Regularly train users on password requirements via emails, intranet portals, or onboarding materials. Include a link to a detailed guide.

• Group Policy (GPO) for Pre-Logon Messages:
  Use Group Policy to display a message at logon (e.g., "Passwords must not include 3+ repeating characters. Details: intranet.example.com/password-rules").

  • GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon: Message text.

• Custom Credential Provider (Advanced):
  Develop a lightweight Credential Provider to display password rules on the Windows password change screen. This requires coding but provides real-time feedback.

• Third-Party Tools:
  Use tools like Specops Password Policy or Netwrix Password Secure to enhance password change notifications and enforce custom rules.

3. Synchronization and Validation Workflow

To ensure passwords sync correctly between AD and RACF:

• Middleware Validation Layer:
  Add a middleware layer (e.g., PowerShell script, .NET tool) between AD and RACF to validate passwords against RACF rules before synchronization.

  • Example: Use AD’s Password Change Notification Service to trigger a script that checks for RACF compliance. If the password fails, reject it and notify the user.

• Error Messaging:
  Configure AD to return specific error messages (e.g., "No repeating characters allowed") using the custom password filter. While Windows’ default UI may not show detailed errors, integrate this with user training.

4. Fallback Options

If the above solutions are too complex, consider these alternatives:

• Web-Based Password Portal:
  Deploy a web portal (e.g., ManageEngine ADSelfService Plus) where users change passwords. The portal can validate passwords against both AD and RACF rules and provide real-time feedback. Redirect users to this portal via training or GPO.

• RACF-Side Checks:
  If RACF allows, configure it to enforce additional rules during password retrieval. If a password fails, trigger a reset. Use caution to avoid sync mismatches.

Example Implementation

Here’s a high-level example of how to implement this:

1. Deploy a Custom Password Filter:
   Block passwords with repeating characters (e.g., AAAbbb123) or disallowed special characters (e.g., !!!).

2. Set a Logon Message via GPO:
   Display: "Passwords must not include 3+ repeating characters. Details: intranet.example.com/password-rules."

3. Develop a Validation Script:
   Use PowerShell to log RACF validation failures and notify users via email.

Key Considerations

• Security: Audit custom code (e.g., password filters) to prevent vulnerabilities.
• User Experience: Balance enforcement with clear communication to reduce helpdesk calls.
• Maintenance: Update policies if RACF requirements change.

You don't mention how RACF currently retrieves the password from AD.

The Microsoft solution to this challenge lies in tools like Microsoft Identity Integration Server (MIIS)/Microsoft Identity Manager (MIM), and Microsoft Host Integration Server (HIS) technologies. MIIS/MIM and HIS contain password synchronization functionality including password filters as part of a much larger identity management platform. Your existing password integration solution may or may not provide similar functionality.

The quotes below are in regard to Enterprise Single Sign-On in HIS. These tools and others like them provide highly configurable and extensible identity management, so you will need to search which one(s) is best for you.

How to Use Direct Password Sync
This version of Enterprise Single Sign-On includes the Direct Password Sync from Windows feature. This enables you to bypass a Password Sync Adapter and update the password in the ENTSSO Credential Database directly from Windows.

Direct Password Sync from Windows is useful in the following situations:

• Your enterprise system requires Windows to Windows mapping.
• You need to update the External User’s password in the Credential Database directly when a password change occurs for the Windows user. You can change the password on the back-end system (that corresponds to the external user) by using other mechanisms. For example, you can use Microsoft Identity Integration Server to update passwords in Resource Access Control Facility (RACF) on an IBM Mainframe using the RACF Management Agent.

How to use password filters
The ENTSSO Password Synchronization feature synchronizes passwords between Microsoft Windows Active Directory and non-Windows systems. However, many external systems have password policy requirements which differ from those in Active Directory. (For example, an IBM system may require a password to be upper case and limited to 8 characters.) This forces ENTSSO to use the “lowest common denominator” between the two systems, limiting password security.

The ENTSSO Password Filter feature addresses this limitation. A Password Filter is merely a Password Sync Adapter with additional properties defined. These additional properties (such as maximum or minimum length, case, and character restrictions) serve to filter the passwords so that they meet the criteria of the external system.