nFront Password Filter FAQ

Yes. It has been tested and works fine on Windows Server 2025. It also works on Windows Server 2012, 2016, 2019, and 2022.

Yes. It has been tested and works fine on Windows Server 2052. It also works on Windows Server 2012, 2016, 2019, and 2022.

Yes. The client operates as a Windows credential provider. It works with Duo's credential provider using their method of whitelisting the GUID of our provider.

Yes. The client operates as a Windows credential provider and is compatible with Okta.

Yes. There have never been any conflicts with nFront Password Filter and any identity management or password syncrhonization product. When a password change occurs on a workstation, a macbook joined to the domain, web portal, etc., the password change request is sent to a writable domain controller. The LSA process on the DC checks the password against the built-in domain password policy (and any fine-grained password policies if defined). If the password meets the Windows password policy requirements, the LSA calls 3rd party password filters via the PasswordFilter() API call. Once all password filters have been called, the LSA commits the password change to the local SAM database. Then it calls the PasswordChangeNotify() API. Identity management and password synchronization products implement this API call to do their synchronization activities. Since the filter is integrated at the operating system level, it cannot be bypassed. Some web applications provide password rules. However, most can be bypassed if you do not change your password via their web application interface (i.e. you do CTRL-ATL-DEL and change your password on a workstation).

Yes, Yes and Yes. We have many worldwide deployments using BMC Control SA or Passport. We also have many healthcare providers running PSynch and Courion. In all cases, the BMC, PSynch and Courion do not provide native password filtering (only filtering if you change passwords via their web page). Thus, their password filtering rules can be bypassed.

Yes, nFront Password Filter is compatiblle with CyberArk. We have many customers who use CyberArk and nFront Password Filter together.

Yes, nFront Password Filter is compatiblle with CyberArk. We have many customers who use SailPoint and nFront Password Filter.

Yes, nFront Password Filter is compatiblle with OneLogin.

The default dictionary (6500 words) takes about 5 milliseconds to process. Our dictionary check looks for the dictionary word anywhere within the new password. It can also be configured to dynmically check for variations of the dictioanry word based on substitution characters like a typical substitution of a dollar sign ($) for the letter S. That increases processing time but is still negligible.

Yes. nFront Password Filter can check against breached passwords using the HIBP database of breached passwords (approximately 847 million breached passwords). You can configure it to check locally using a file or via the HIBP API. If you use the file option, you must download the file of SHA1 hashes and it expands to about 40GB. The file will need to be local to each DC so you must plan for disk space. It takes only 60 milliseconds to checkt the file. If you opt to use the HIBP API, it usually returns in less than half a second. The full hash is never sent over the network (only the first 5 characters).

Yes. All group policies will appear in English. If you are using dictionary checking the dictionary file may be saved in an ANSI, Unicode or UTF-8 formats. The later formats supports characters from all languages. The optional client currently provides messages in English, German, French, Italian and Spanish.

Yes.  You still configure a single GPO to control nFront Password Filter.  However, within each policy you can specify multiple OU paths to include or exclude.  You can also include and exclude groups.

Yes. You can apply a policy to one security group and the policy will apply to users who are members of that group and any groups nested inside of that group.

No.

No.

Yes. The cient can display the rules on the password change screen and show a more detailed failure message. The message for each rule and each failure message can be modified for any given language. You can also display a custom message along with the dynamically calculated rules.

The nFront Password Filter MSI package must be installed on all writable domain controllers. Read only domain controllers do not process password changes and do not need the filter installed.

No. You want to think of the nFront product as a supplement to the built-in Windows domain password policy. The LSA will check the new password agains the built-in Windows domain password policy prior to calling nFront. Thus, nFront can add restrictions but not lessen any Windows restrictions. For example, if Windows requires a minimum password length of 10 and nFront requires 12, the minimum length required will be 12. If Windows requires a minimum length of 12, setting nFront to require only 10 will have no effect and the minimum length required will be 12.

No. It is very easy to install and configure. Prior to deployment, you must consider any modifications to the custom dictionary blacklist and you must communicate the new requirements to end-users.
It only takes a few minutes to configure the policies via GPO. Since GPOs replicate among domain controllers every 5 minutes with a max hop count of 3, the GPO settings will sync among numerous domain controllers in a max of 15 minutes.