Password filter fails to load on Domain controller

  • 7024074
  • 21-Aug-2019
  • 21-Aug-2019

Environment

Identity Manager - Password Synchronization

Situation

Password changes are not being synchronized from Active Directory into eDirectory.
Checking the status of the password filter in the Password Sync applet shows the module as “Running” in the relevant Domain Controllers.
In the affected Domain controllers, there is a message in the Event Viewer that indicates that the module PWFILTER.DLL was not able to load. Possible errors reported are 577 and 126.
A trace at level 5 taken on the machine where the driver is running (Remote Loader trace or Engine trace if the server is running on Windows and the driver is local), shows this error:
DirXML: [10/10/18 16:38:44.99]: ADDriver: [PWD 1668]   lpszDCName = DC001.acme.corp                status = 0x000006D9
DirXML: [10/10/18 16:38:44.99]: ADDriver: [PWD 1668] - Password Sync is not installed on domain controller DC001.acme.corp



Resolution

These symptoms indicate that the policy RunAsPPL has been added to the LSASS module. This option prevents other modules to be specified as a filter to be used by the LSASS module, effectively breaking the password synchronization functionality.

On the affected Domain Controllers, check if the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa contains the DWORD entry of “RunAsPPL”  with a value of 1

If the entry is present, remove it and restart the Domain Conroller. Check the event viewer after the server restart to make sure that there are no further errors regarding the loading of the pwfilter.dll module.

Additional Information

The following article describes the relevant entry in more detail:

Feedback service temporarily unavailable. For content questions or problems, please contact Support.