Password Exit

Connect:Direct® for Microsoft Windows need the password for the UserId to impersonate, we must store the password until it is needed. This is a security concern. In an effort to eliminate having to store passwords, a configurable Password Exit feature is added to Connect:Direct for Microsoft Windows.
Attention: You are responsible for configuring the password vault software securely. In order to restrict access to the your Password Exit DLL, it is recommended to create a folder that only contains the Password Exit DLL. Your Password Exit DLL folder should have the following permissions:
  • If Connect:Direct for Microsoft Windows service is configured to run using the ‘Local System’ account (which is the Connect:Direct for Microsoft Windows installation default):
    1. Add the group ‘SYSTEM’ to the folder’s security.
    2. Set the folder Permissions for ‘SYSTEM’ to allow ‘Read & execute’.
  • If the Connect:Direct for Microsoft Windows service is configured to run using a user account:
    1. Add the user to the folder’s security.
    2. Set the folder Permissions for the user to allow ‘Read & execute’.
Permission to access this folder for other users should be restricted or removed.

DLL Interface

Connect:Direct will load and unload DLL dynamically.
  1. The Connect:Direct’s Password Exit logic will call the ‘GetPassword’ method of the user supplied Password Exit DLL to obtain the password for the user. Following is the Typedef for GetPassword Function call:
    typedef int (*PFNGETPASSWORD)(GET_PASSWORD_REQUEST_T*, GET_PASSWORD_REPLY_T*);
  2. Connect:Direct calls the Windows API ‘LoadLibrary’ to load the user supplied Password Exit DLL and Windows API ‘GetProcAddress’ to obtain the GetPassword function’s pointer in the user supplied Password Exit DLL. The request and reply structure are as follows:
    Get Password Request- The request structure "GET_PASSWORD_REQUEST_T" contains :
    typedef struct get_password_request
    		{
    			Int64 version;				
    			char  applicationID[MAX_APPL_NAME];	
    			char  policyID[MAX_POLICY_NAME];		
    			char  userID[MAX_USER_NAME];		
    		} GET_PASSWORD_REQUEST_T;
    
    Request structure fields contain :
    Parameter Name Description Valid Values
    Version

    64bit number

    Value is always ‘1’. (Will increment if the request structure changes)
    applicationID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the password.exit.appl.id field in initparms.
    policyID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the password.exit.policy.id field in initparms.
    userID Character string null terminated (Any valid ascii characters). 128 bytes in length maximum (127 bytes of data + null terminator). This is the User Id for which we need the password.
    Get Password Reply- The request structure GET_PASSWORD_REPLY_T contains:
    typedef struct get_password_reply
    		{
    			Int64 version;				
    			Int64 status;					
    			char  text_status[MAX_TXT_LEN];		
    			char  userID[MAX_USER_NAME];		
    			char  password[MAX_PASSWORD_LEN];		
    		} GET_PASSWORD_REPLY_T;
    
    Reply structure fields contain:
    Parameter Name Description Valid Values
    Version

    64bit number

    Value is always ‘1’. (Will increment if the request structure changes)
    status

    64bit number (Any valid numeric value) used as the return code returned by the Password Exit DLL.

    A value of 0 (zero) indicates the Password Exit successfully supplied the password for the requested user.
    text_status
    • Character string null terminated (Any valid ascii characters)
    • 256 bytes in length maximum (255 bytes of data + null terminator)
    • This is string which contains the result of the GetPassword request. It is intended to be a verbose success or error message returned by the Password Exit DLL.
     
    userID
    • Character string null terminated (Any valid ascii characters)
    • 256 bytes in length maximum (255 bytes of data + null terminator)
    • This is the User Id for which the password request is received.
     
    password
    • Character string null terminated (Any valid ascii characters)
    • 256 bytes in length maximum (255 bytes of data + null terminator)
    • This is the requested password for the User Id returned by the Password Exit DLL.
     

Sample Password Exit DLL

A sample Password Exit DLL is provided in "Server/Samples/PasswordExit" directory and can be used to test the feature or as an example for writing your own. The sample simply reads a text file, gets the password for the user from the text file and returns it to the caller.
Note: You need Microsoft’s Visual Studio 2019 to build the Password Exit DLL. The Password Exit DLL must be a 64bit DLL. The sample Password Exit DLL should not be used in a Production environment. It is only provided as an example.
Files in the PasswordExit directory are :
  • Visual Studio Files
    • PasswordExitDLL.sln– Visual Studio Solution file. Open this file in Visual Studio 2019 to build the Sample Password Exit DLL.
    • PasswordExitDLL.vcproj*– Visual Studio project files referenced by the Visual Studio Solution file.
  • Sample Password Exit DLL source files
    • Pswdexitlibrary.cpp– Source file for the sample Password Exit DLL.
    • Pswdexlibrary.h– Header file for the sample Password Exit DLL.
    • Dllmain.cpp– dll entrypoint.