Administration GuidePassword ManagementPassword Synchronization › How the Password Synchronization Agent Works

Previous Topic: Configure the Agent for Alternate Servers

Next Topic: Account-Level Password Quality Checking

How the Password Synchronization Agent Works

The propagation process begins when a user's password is changed on a Windows system using any method. After the password is entered, the following occurs:

  1. The Windows operating system checks to make sure the password meets its password policy. If Windows does not accept the password, the change request is rejected, an error message appears, and no further action, including synchronization, is taken.
  2. The Windows system passes the password change request to the Identity Manager Password Synchronization agent, which, if configured for password quality checking, submits the password to the Provisioning Server for password quality checking. If the password does not meet the Identity Manager quality rules, the change request is rejected and an error message displays. The Windows password remains unchanged and no synchronization takes place.
  3. A password that meets the quality rules of both Windows and CA Identity Manager is submitted by the Password Synchronization Agent to the Provisioning Server for propagation.
  4. CA Identity Manager updates the global user password and propagates the new password accounts associated with the global user.

Note: Your password policies for Windows and CA Identity Manager must be identical or consistent, because the error messages displayed are based on the Windows password policy, even if CA Identity Manager rejects the request.

The password_update_timeout configuration parameter (eta_pwdsync.conf) specifies how long (in seconds) the PSA waits for the password-change-propagation confirmation from the Identity Manager server. If the PSA does not receive a confirmation during that time, it proceeds as if the propagation succeeded and logs a warning (eta_pwdsync.log) that password change propagation could not be verified. The minimum value for the parameter is zero (0), which means that the PSA will not wait for confirmation. For more information, see eta_pwdsync.conf--Configure Password Synchronization Agent in the Provisioning Manager help.