19-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ How Do I Deploy the Oracle Password Filter for Microsoft Active Directory? 19.1.1 What is the Oracle Password Filter for Microsoft Active Directory? Oracle Directory Integration Platform enables synchronization between Oracle Internet Directory and Microsoft Active Directory. The Oracle Directory Integration Platform can retrieve all Microsoft Active Directory attributes with the exception of user passwords. Oracle Application Server Single Sign-On uses an external authentication plug-in to verify user credentials in Microsoft Active Directory and automatically store the updated password in Oracle Internet Directory. Applications such as Oracle Database Enterprise User Security that do not use Oracle Application Server Single Sign-On can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. When users change their passwords from their desktops, the updated password is automatically synchronized with Oracle Internet Directory. More specifically, the Oracle Password Filter for Microsoft Active Directory monitors Microsoft Active Directory for password changes, which it then stores in Oracle Internet Directory. This allows Oracle Internet Directory users to be authenticated with their Microsoft Active Directory credentials and authorized to access resources by using information stored in Oracle Internet Directory. Storing Microsoft Active Directory user credentials in Oracle Internet Directory also provides a high availability solution in the event that the Microsoft Active Directory server is down. The Oracle Password Filter is installed on each Microsoft Active Directory server and automatically forwards password changes to Oracle Internet Directory. The Oracle Password Filter for Microsoft Active Directory does not require the Oracle Directory Integration Platform to synchronize passwords from Microsoft Active Directory to Oracle Internet Directory. The only requirement is that users synchronized from Microsoft Active Directory to Oracle Internet Directory must include the ObjectGUID attribute value to identify the user in both directories. The Oracle Password Filter for Microsoft Active Directory does not enforce password policies, or differences in password policies, between Microsoft Active Directory and Oracle Internet Directory. Instead, the system administrator must ensure that the password policies are consistent in both directories. Password change requests occur when an account is created, an administrator resets a user’s password, or when a user changes his or her own password. In order for the Oracle Password Filter for Microsoft Active Directory to capture Microsoft Active Directory passwords, one of these events must occur. Passwords that were set prior to installing the Oracle Password Filter for Microsoft Active Directory cannot be captured unless a system administrator forces a global password change request to all users. Note: Enterprise User Security can only verify user credentials that are stored in Oracle Internet Directory. For this reason, to verify user credentials in Microsoft Active Directory with Enterprise User Security, you must use the Oracle Password Filter to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. Note: The Oracle Password Filter for Microsoft Active Directory only captures password changes for 32-bit or higher Windows systems that have been integrated with Microsoft Active Directory.