Symantec IGA

Hi All,

We have CA Identity manager version 14.1 CP06 where AD connector deployed and we have password sync agent installed to reverse sync the password from AD to IM. The sync is working fine when a user changes his password directly on the AD domain.

we have another AD domain which maintains the same user record and pushes the password change to main AD domain which is successful on AD but the password sync agent is not intercepting the password change event due to which the password is not synchronizing to IM.

Is there any condition when the agent intercepts the password change in AD domain.

Regards,
Rajesh

By what mechanism is the second AD domain updating the first? The psync agent is a windows password filter. It will catch password changes that occur on the DC where it's installed. The psync agent needs to be installed on all domain controllers and since we don't know how your AD to AD change occurs we can't say how the sync agent will respond.  Also there is a default 10 minute agent response threshold configured within Provisioning Manager, so maybe you need to lower the value while testing, or wait at least 10 minutes. If none of the above helps, please open a support case.
Original Message:
Sent: 06-06-2019 09:44 AM
From: RAJESH Uppalapati
Subject: Password sync Agent

Hi All,

We have CA Identity manager version 14.1 CP06 where AD connector deployed and we have password sync agent installed to reverse sync the password from AD to IM. The sync is working fine when a user changes his password directly on the AD domain.

we have another AD domain which maintains the same user record and pushes the password change to main AD domain which is successful on AD but the password sync agent is not intercepting the password change event due to which the password is not synchronizing to IM.

Is there any condition when the agent intercepts the password change in AD domain.

Regards,
Rajesh

Thanks Larry for the update. The password is updated as hash value by using a third party tool due to which the password sync agent unable to capture it as agent intercepts the password and validate with the password policy before updating in Active directory which is not the case so we are migrating all users to first AD domain.

Regards,
Rajesh
Original Message:
Sent: 06-06-2019 10:51 AM
From: Larry Kasten
Subject: Password sync Agent

By what mechanism is the second AD domain updating the first? The psync agent is a windows password filter. It will catch password changes that occur on the DC where it's installed. The psync agent needs to be installed on all domain controllers and since we don't know how your AD to AD change occurs we can't say how the sync agent will respond.  Also there is a default 10 minute agent response threshold configured within Provisioning Manager, so maybe you need to lower the value while testing, or wait at least 10 minutes. If none of the above helps, please open a support case.
Original Message:
Sent: 06-06-2019 09:44 AM
From: RAJESH Uppalapati
Subject: Password sync Agent

Hi All,

We have CA Identity manager version 14.1 CP06 where AD connector deployed and we have password sync agent installed to reverse sync the password from AD to IM. The sync is working fine when a user changes his password directly on the AD domain.

we have another AD domain which maintains the same user record and pushes the password change to main AD domain which is successful on AD but the password sync agent is not intercepting the password change event due to which the password is not synchronizing to IM.

Is there any condition when the agent intercepts the password change in AD domain.

Regards,
Rajesh