Password Store / Password Filter Issues

[FHSbtuggle]

We are attempting to implement this into our environment and are running into issues with Lithnet returning "False" for Test-IsCompromisedPassword for passwords that are compromised after loading the store with the compromised passwords following the steps listed here: https://docs.lithnet.io/password-protection/setup/populate-the-store

The GPO Settings are correctly set in both environments and if I do run Add-CompromisedPassword -Value password it will then return "True"

Any help would be much appreciated, we are just not sure why it is not returning "True" even though we have the store correctly set and the installation is also pointing to the correct store. In the Event Log I can confirm that Event ID 3 is present so does not appear to be an issue with the installation.

[ryannewington]

Does

Get-PasswordFilterConfig

Show the correct store path?

[FHSbtuggle]

Does

Get-PasswordFilterConfig

Show the correct store path?

Hey Ryan, it does for both environments

C:\Lithnet\Store -> Local Testing Environment \backups\Lithnet\Active Directory Password Protection\Store -> Domain Environment

I have verified for both environments that permissions are correct as indicated in the documentation.

[ryannewington]

Very strange,

And inside C:\Lithnet\Store is a folder called v3?

And your user account has read access to that share (The Test-* cmdlets run as you, not as the SYSTEM account/password filter)?

If you right-click the Store folder, whats the size of it?

[FHSbtuggle]

Correct it has that folder v3 inside both stores and both accounts have full control at the directory and all sub directories.

We couldn't go the Sync-HashesFromHibp due to the nature of our environment and it seeming that it would take awhile (10+ Days) so we did go the route of the HIBP downloader tool using the NTLM hashes as indicated. Have started fresh a few times just to make sure it was downloaded correctly and loaded into the store correctly with no luck.

It's roughly 11.2GB in size and 64GB in size on disk.

[ryannewington]

Could you download and run procmon, and run the Test-IsPasswordCompromised cmdlet while capturing the trace, so I can see what is going on?

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

[FHSbtuggle]

While running Test-IsCompromisedPassword -Value Password and it returned false.

[ryannewington]

@FHSbtuggle can you share the script/commands you used to download the hibp hashes and build the store?

Something is definitely not right here. The store looks populated, but I'm wondering if its populated with the correct data

[FHSbtuggle]

@ryannewington I followed the steps listed here: https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader

Ran the following script listed here: https://docs.lithnet.io/password-protection/setup/populate-the-store

haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm

Once that finished downloading I zipped the file up -> transferred it into our environment and unzipped / ran the following commands:

Import-Module LithnetPasswordProtection Open-Store -Path "\backups\FHS Files\Lithnet\Active Directory Password Protection\Store"

I can't recall if I ran Import-CompromisedPasswords -Filename "D:\password-protection\hashes.org-2018.txt" or Import-CompromisedPasswordHashes -Filename "D:\password-protection\pwned-passwords-ntlm-ordered-by-hash.txt"

So that might be the issue, I am going to give that a try and make sure I did use Import-CompromisedPasswordHashes and will follow up

[FHSbtuggle]

@ryannewington that looks to have resolved it. I was using the incorrect Import command. You can go ahead and mark this as resolved and thank you for the assistance!

[ryannewington]

That's great news! Glad it's working for you now