Previous Topic: Configure the Agent for Alternate ServersNext Topic: Account-Level Password Quality Checking

Administration GuidePassword ManagementSynchronizing Passwords on EndpointsPasswords on WindowsHow the Password Synchronization Agent Works

How the Password Synchronization Agent Works

The propagation process begins when a user's password is changed on a Windows system using any method. After the password is entered, the following occurs:

  1. The Windows operating system checks to make sure the password meets its password policy. If Windows does not accept the password, the change request is rejected, an error message appears, and no further action, including synchronization, is taken.
  2. The Windows system passes the password change request to the Password Synchronization agent, which, if configured for password quality checking, submits the password to the Provisioning Server for password quality checking. If the password does not meet the CA IdentityMinder quality rules, the change request is rejected and an error message displays. The Windows password remains unchanged and no synchronization takes place.
  3. A password that meets the quality rules of both Windows and CA IdentityMinder is submitted by the Password Synchronization Agent to the Provisioning Server for propagation.
  4. CA IdentityMinder updates the global user password and propagates the new password accounts associated with the global user.

Note: Your password policies for Windows and CA IdentityMinder must be identical or consistent, because the error messages displayed are based on the Windows password policy, even if CA IdentityMinder rejects the request.

The password_update_timeout configuration parameter (eta_pwdsync.conf) specifies how long (in seconds) the PSA waits for the password-change-propagation confirmation from CA IdentityMinder. If the PSA does not receive a confirmation during that time, it proceeds as if the propagation succeeded and logs a warning (eta_pwdsync.log) that password change propagation could not be verified. The minimum value for the parameter is zero (0), which means that the PSA will not wait for confirmation.