Symantec Identity Management

Expand all | Collapse all

Tech Tip : CA Single Sign-On : Password sync agent 

  • 1.  Tech Tip : CA Single Sign-On : Password sync agent 

    Posted 06-26-2018 05:15 AM

    Question:

     

    I have a query about password sync agent for IM.

    Can I enable the Password Sync Agent for multiple END point ( Active
    Directory ) ?

    When I do the configuration it will ask me for END point. And there
    is not option to select the multiple end points.

    Suppose I have 3 domain controllers, do I need to deploy the password
    sync agent on all three of them ?

     

    Answer:

     

    The documentation here specifies only 1 Endpoint to be configured :

    Synchronizing Passwords on Endpoints

    "If you have the Password Sync Agent installed on a managed
    endpoint, you need to manually enable the checkbox on the Endpoint
    object to indicates that the Password Sync Agent is installed."

    https://docops.ca.com/ca-identity-manager/14-2/EN/administrating/password-management/synchronizing-passwords-on-endpoints

    According to the following Knowledge Document, you should configure
    the agent password sync on each end point :

    How does the mechanism for password capturing an endpoint password
    change and propagate it to global user, corporate user and other
    accounts work.

    "You will need to install a Password Synchronization Agent ( aka PSync
    Agent ) on your endpoint. The PSync Agent is specific to each endpoint
    and is intercepting passwords changed on the endpoint. "

    https://comm.support.ca.com/kb/how-does-the-mechanism-for-password-capturing-an-endpoint-password-change-and-propagate-it-to-global-user-corporate-user-and-other-accounts-work/kb00005028010:29:09

    Further, according to this next knowledge document, you should set the
    password sync agent on all domain controllers where password are
    allowed to be set / reset.

    Which Domain Controllers should I install Password Sync Agents on?

    "Password Sync Agents are required to be installed only on DCs where
    passwords are allowed to be set/reset."

    [...]

    "you really do not need to install the Password Sync Agent software
    on any domain controller that isn't allowing direct password resets."

    https://comm.support.ca.com/kb/which-domain-controllers-should-i-install-password-sync-agents-on/kb000050277


    KB : KB000103383



  • 2.  Re: Tech Tip : CA Single Sign-On : Password sync agent 

    Posted 06-29-2018 05:12 PM

    Hi Patrick, all

    May I suggest you to move this thread from CA Single Sign-On to CA Identity Suite/CA Identity Manager community? This topic is not related to CA SSO.

     

    HTH. Best, Welington.