Password Exit
Connect:Direct® for Microsoft
Windows need the password for the UserId to impersonate, we must store the password until it is
needed. This is a security concern. In an effort to eliminate having to store passwords, a
configurable Password Exit feature is added to Connect:Direct for Microsoft
Windows.
Attention: You are responsible for configuring the password vault software securely. In order
to restrict access to the your Password Exit DLL, it is recommended to create a folder that only
contains the Password Exit DLL. Your Password Exit DLL folder should have the following permissions:
- If Connect:Direct for Microsoft
Windows service is configured to run using the ‘Local System’ account (which is the Connect:Direct for Microsoft
Windows
installation default):
- Add the group ‘SYSTEM’ to the folder’s security.
- Set the folder Permissions for ‘SYSTEM’ to allow ‘Read & execute’.
- If the Connect:Direct for Microsoft
Windows service is configured to run using a user account:
- Add the user to the folder’s security.
- Set the folder Permissions for the user to allow ‘Read & execute’.
DLL Interface
Connect:Direct will load and unload DLL dynamically.- The Connect:Direct’s Password Exit logic will call the ‘GetPassword’ method of the user supplied
Password Exit DLL to obtain the password for the user. Following is the Typedef for GetPassword
Function call:
typedef int (*PFNGETPASSWORD)(GET_PASSWORD_REQUEST_T*, GET_PASSWORD_REPLY_T*);
- Connect:Direct calls the Windows API ‘LoadLibrary’ to load the user supplied Password Exit DLL
and Windows API ‘GetProcAddress’ to obtain the GetPassword function’s pointer in the user supplied
Password Exit DLL. The request and reply structure are as follows:
Get Password Request- The request structure "GET_PASSWORD_REQUEST_T" contains :
typedef struct get_password_request { Int64 version; char applicationID[MAX_APPL_NAME]; char policyID[MAX_POLICY_NAME]; char userID[MAX_USER_NAME]; } GET_PASSWORD_REQUEST_T;
Request structure fields contain :Parameter Name Description Valid Values Version 64bit number
Value is always ‘1’. (Will increment if the request structure changes) applicationID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the password.exit.appl.id
field in initparms.policyID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the password.exit.policy.id
field in initparms.userID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the User Id for which we need the password. Get Password Reply- The request structureGET_PASSWORD_REPLY_T
contains:
typedef struct get_password_reply { Int64 version; Int64 status; char text_status[MAX_TXT_LEN]; char userID[MAX_USER_NAME]; char password[MAX_PASSWORD_LEN]; } GET_PASSWORD_REPLY_T;
Reply structure fields contain:Parameter Name Description Valid Values Version 64bit number
Value is always ‘1’. (Will increment if the request structure changes) status 64bit number (Any valid numeric value) used as the return code returned by the Password Exit DLL.
A value of 0 (zero) indicates the Password Exit successfully supplied the password for the requested user. text_status - Character string null terminated (Any valid ascii characters)
- 256 bytes in length maximum (255 bytes of data + null terminator)
- This is string which contains the result of the GetPassword request. It is intended to be a verbose success or error message returned by the Password Exit DLL.
userID - Character string null terminated (Any valid ascii characters)
- 256 bytes in length maximum (255 bytes of data + null terminator)
- This is the User Id for which the password request is received.
password - Character string null terminated (Any valid ascii characters)
- 256 bytes in length maximum (255 bytes of data + null terminator)
- This is the requested password for the User Id returned by the Password Exit DLL.
Sample Password Exit DLL
A sample Password Exit DLL is provided in "Server/Samples/PasswordExit" directory and can be used
to test the feature or as an example for writing your own. The sample simply reads a text file, gets
the password for the user from the text file and returns it to the caller.
Note: You need
Microsoft’s Visual Studio 2019 to build the Password Exit DLL. The Password Exit DLL must be a 64bit
DLL. The sample Password Exit DLL should not be used in a Production environment. It is only
provided as an example.
Files in the PasswordExit
directory are :-
Visual Studio Files
- PasswordExitDLL.sln– Visual Studio Solution file. Open this file in Visual Studio 2019 to build the Sample Password Exit DLL.
- PasswordExitDLL.vcproj*– Visual Studio project files referenced by the Visual Studio Solution file.
- Sample Password Exit DLL source files
- Pswdexitlibrary.cpp– Source file for the sample Password Exit DLL.
- Pswdexlibrary.h– Header file for the sample Password Exit DLL.
- Dllmain.cpp– dll entrypoint.