Replication Errors with OPF

[dh-pfsweb]

Hello,

We installed OpenPasswordFilter recently and have had some problems with it. We ran into the krbtgt error mentioned in an older post. In addition to that, we are having replication issues between our domains. When we change a users password, or make other attribute changes, we need to stop the OPF Service on the DC to get the changes to replicate to the other DCs. Has anyone else run into this issue or have any suggestions as to what we might be able to do to correct this problem?

thanks,
david

[FFFreak]

Yes, if you have a cloud sync it MUST be the last ones in the LSA notifiers. Especially Gsync (DEAD LAST!) which likes to kill the stack.. make sure OPF is before them, especially GSYNC! edited: And that is on **ALL** ADs, but can test on one that your changing the PW on - using powershell with -server <ip/hostname> switch OPF shouldnt affect attributes though, so could also be something else.

[dh-pfsweb]

Is this what you are referring to? [cid:image003.png@01D5FDFA.929F6A70] Just moving the OpenPasswordFilter to the top of the Notification Packages in the registry? thanks, david From: FFFreak [mailto:notifications@github.com] Sent: Wednesday, March 18, 2020 3:10 PM To: jephthai/OpenPasswordFilter <OpenPasswordFilter@noreply.github.com> Cc: David Hodgson <dhodgson@pfsweb.com>; Author <author@noreply.github.com> Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Yes, if you have a cloud sync it MUST be the last ones in the LSA notifiers. Especially Gsync (DEAD LAST!) which likes to kill the stack.. make sure OPF is before them, especially GSYNC!

On Mon, Mar 16, 2020 at 9:37 AM dh-pfsweb ***@***.******@***.***>> wrote: Hello, We installed OpenPasswordFilter recently and have had some problems with it. We ran into the krbtgt error mentioned in an older post. In addition to that, we are having replication issues between our domains. When we change a users password, or make other attribute changes, we need to stop the OPF Service on the DC to get the changes to replicate to the other DCs. Has anyone else run into this issue or have any suggestions as to what we might be able to do to correct this problem? thanks, david — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#36>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJDA4M3CATDCK3V42CZ7KETRHZIVNANCNFSM4LMNNKEA> .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#36 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AO27HAVWPAI257EUX5NVHJ3RIETALANCNFSM4LMNNKEA>.

[FFFreak]

Cannot see image, but I did it on mine before the cloud providers. However, most things "pass-through" so i don't know of any issue with it being first, but i also have never tried it that way. Sorry i cannot tell you a yes or no on it.

[dh-pfsweb]

Sorry. The image was a screenshot of our registry. I was wondering if this was the proper place to make the change to the LSA Notification. HKLM > SYSTEM > CurrentControlSet > Control > Lsa > Notification Packages In there I find three values: rassfm scecli OpenPasswordFilter Do I just need to move OpenPasswordFilter to the top? thanks, david From: FFFreak [mailto:notifications@github.com] Sent: Thursday, March 19, 2020 6:24 PM To: jephthai/OpenPasswordFilter <OpenPasswordFilter@noreply.github.com> Cc: David Hodgson <dhodgson@pfsweb.com>; Author <author@noreply.github.com> Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Cannot see image, but I did it on mine before the cloud providers. However, most things "pass-through" so i don't know of any issue with it being first, but i also have never tried it that way. Sorry i cannot tell you a yes or no on it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#36 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AO27HATJ7JUYIRU3VCIAD7LRIKSPXANCNFSM4LMNNKEA>.

[FFFreak]

I personally see no issue with the original order. When you remove (OPF) it does replication perfectly? (replication and partition syncing [like on a service restart] are very different).

[FFFreak]

Also what Operating System (I'm just some dude, and played alot with OPF in my test environments, but OSes I think were 2008 R2 to 2012).

[dh-pfsweb]

This is installed on Server 2012 R2. All we have to do is to disable the OPF Service on the DCs and everything works fine. With the service enabled, we have long delays to change passwords (20 seconds up to several minutes), and we see replication problems arise. thanks, david From: FFFreak [mailto:notifications@github.com] Sent: Friday, March 20, 2020 11:38 AM To: jephthai/OpenPasswordFilter <OpenPasswordFilter@noreply.github.com> Cc: David Hodgson <dhodgson@pfsweb.com>; Author <author@noreply.github.com> Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I personally see no issue with the original order. When you remove (OPF) it does replication perfectly? (replication and partition syncing [like on a service restart] are very different). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#36 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AO27HAUUOGMDJKUQ4J2GI63RIOLW7ANCNFSM4LMNNKEA>.

[FFFreak]

So OPF does use a sorta local loopback (127.0.0.1) to do the communication from LSA notifier to the service that does the checking. Have you tried wire shark to see if there is a communication issue with this loopback. I am wondering if that communication channel is having issues and your hitting a timeout on the call. I didn't write it, but figured they did this for a buffer and ability to queue up asynchronous calls in to a synchronous check.