Password interceptor questions

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello All,

We are testing password interceptor installed in AD and synchronizing password via custom workflow to end systems. We have a question on the password interceptor events we are receiving from the Active Directory where password interceptor is installed…

  1. It appears for each password reset in AD we are receiving two password intercept tasks into SailPoint. One comes in with the previous password and one with the actual new password in Active Directory. Why is this happening. I would expect only one event.

  2. When an administrator(non self rest by end-user) resets the password, even then we get Password Intercept event task into SailPoint. Is there a way to avoid administrator resets.

  3. When someone is resetting password, and there is a failure on that ctrl-alt-del reset box, even this failure it seems is generating password intercept event tasks into SailPoint. It is just sending the old and current password in sequence. What can be done to avoid this.

We are on latest version 8.4. Not sure which of this is expected behavoir vs product bug. please assist.

2

Based on what I know, you shouldn’t be seeing two events, just one event with the new password that will be synced. 2. It sync all kind of password changes, not sure how you can avoid that.

1 Like
3

If you have two accounts in the same AD connector, PWI will try to change the apssword on Booth , and you will have even more than two requests for it.Kind like a Loop

User change password → PWi detects - > send to Source-> Sailpoint change password - >PWi detects

To solve it you need to have a exclusive DC for SP with no PWI, and no user can logon on it.

That would solve your issue.

1 Like
4
  1. yes does sends more than once in some cases depending on the timeouts configured on the PWI… best would be to add some wait in workflow lets says a minute before you execute the password provisioning plan
  2. I would suggest to enable the password history on the AD application and compare the new password coming from password interceptor and the one which is latest in the history and if both are same then exit the workflow and do not run any password provisioning plan.
  3. once you do #2 then this will addressed automatically.
1 Like