Office 365 Password Sync Installation and Configuration Guide - New Version

Office 365 Password Synchronization Installation and Configuration Guide - New Version


Kaseya Password Synchronization allows organizations to synchronize passwords from their local Active Directory to Office 365.  The Kaseya Password Synchronization consists of 2 major parts:

  • Password Synchronization Client (Password Client)
  • Password Synchronization Server (Password Server)

The Password Synchronization Client captures the password within the Local Security Authority (LSA) on the Domain Controllers.  The Client Service sends the password request to the Password Synchronization Server.  The Server Service accepts password change requests and sets the password within Office 365.


Password Client

  • .Net Framework 3.51.   If using Windows Server 2012 you must install the .Net Framework 3.5 feature from the Add Roles and Features Wizard.
  • Windows Server 2003 or higher Domain Controller
  • Email address (mail attribute) in Active Directory or UserPrincipalName must match Identity in Office 365.
  • Reboot is required after installation
  • Windows 2008 and 2012 Core editions are currently not supported.

Password Server


Password Complexity should be enforced in the Active Directory Domain.  Failure to enforce password complexity could result in Active Directory Password resets not being allowed in Office 365, since Office 365 does enforce password complexity.  The Password requirements for Office 365 (as they correspond to Active Directory Password Policies) are:

  • Password Length must be at least 8 characters
  • Password Complexity must be enabled
  • Maximum Password Age must be less than the value configured in Office 365.

Installing the Password Synchronization Server

The Password Synchronization Server will typically be installed on a single server in the environment.


To install the Password Server, simply double click the PasswordServerService.msi in the download file.  The install is very straight forward.  You must simply accept the license agreement and choose an install path.


After the installation is complete, you can launch the Password Server Admin to configure the service.  The Password Server Admin is launched via Start->All Programs->MessageOps->Password Server Service->Password Server Admin.

If you run into problems opening the application or saving the configuration, run it as administrator by right clicking on the MessageOpsPasswordServerAdmin.exe in the install directory and choosing Run as Administrator.


Once in the Admin application, click the Config tab to bring up the screen below.


In most cases the only option you’ll need to configure is the MSOL Credentials, but we’ll go through all the options and the license key.

Listen IPv4 -  The IP Address the service will listen for connections on.  The default of means all IP addresses, which is fine for most installs.

Listen Port - The Port number the service listens for connections from the Password Client.  Make sure this port is allowed through the Windows Firewall if it is enabled.

Network Key – The network key is used to secure communications between the client and server.  If left blank a default key is used.  If a value is specified, the same value must be specified on all Password Client installations.

User - The user name of an Office 365 account with administrator credentials.  This account will be used to perform the password resets.  The password on the account specified should be set to never expire.

Pass – The password for the Office 365 administrator account.

License Key – Enter the license key that was provided to you by MessageOps.

Again in most cases, all you should need to specify is the User and Pass values as well as the License Key.  After specifying the values, you can click the Verify Credentials to test them.  Note, it may take 30 seconds for the application to return a result.

After making any changes to the configuration, you must click the Save Config button, then Stop and Start the service.

Alerts Tab

The alerts tab allows you configure email alerts to be sent to administrators and/or end users when a Password Reset failure occurs.


Hostname - The SMTP relay server that the Password Server service will use to send mail.

Email Throttle – Limits the number of Messages that are sent to administrators or users.   In some cases where a password is continually failing a large number of emails could be generated.

Installing the Password Synchronization Client

The Password Synchronization should be installed on all domain controllers in your environment.  The reason for this is you don’t know which DC will be used by a client when they reset their password.  There are 2 versions of the Password Client, a 32 bit version and a 64 bit version.  You must install the appropriate version, based on the OS version it’s being install on.


The install is also very easy, like the server it’s a Next, Next, Next install.  It’s important to note that before the Password Client will work, you must reboot the domain controller it was installed on. You can configure the client service before the reboot, it just won’t work until you reboot.


After the installation is complete, you can launch the Password Client Admin to configure the service.  The Password Client Admin is launched via Start->All Programs->Kaseya->Password Client Service->Password Client Admin.

If you run into problems opening the application or saving the configuration, run it as administrator by right clicking on the KaseyaPasswordClientAdmin.exe in the install directory and choosing Run as Administrator.


Once in the Admin application, click the Config tab to bring up the screen below.


In most cases all you’ll need to configure is the Host, which is the name or IP of the server you previously installed the Password Server on.  Note that in most cases all Password Client systems will report to the same Password Server.  The options on this screen are as follows.

Host - The name or IP address of the Password Server Service.

Port - The port the Password Server is listening on.

Timeout - How long the Password Client should wait for a response from the Password Server before resubmitting the request.

Key - Used to control encryption between the Password Client and Password Server.  If a custom value is used, the same value must be configured on the Password Server.

Verify Button - You can use the Verify Button to make sure the Password Client is able to communicate with the Password Server.

The Password Client has the ability to use a Primary and a Secondary Password Server.  The client will always try the primary server first, but if it fails, it will immediately try the Secondary server.

Root Query - When a password change comes in, the Password Client must do an LDAP lookup on the account to retrieve the email address.  It’s recommended the default of localhost be used.

Filter - The filter is a very powerful feature which controls which user’s passwords are synchronized to Office 365.  By default the filter is:


This filter will synchronize password changes for all users. Password resets for objects that don’t match the query will be discarded.  Let’s say you want to only synchronize users who are a member of the Group, Password Sync.  You would first need to get the DN or the Password Sync Group, which in this example is:

CN=Password Sync,OU=Groups,DC=domain,DC=local

You would then need to modify the filter to look like:

(&(samAccountName={0})(objectCategory=person)(objectClass=user)(memberof=CN=Password Sync,OU=Groups,DC=domain,DC=local))

Connection Attempts - How many consecutive times the Password Client will try to connect to the Password Server before going to the Connection Fail Delay.

Connection Fail Delay - If the Password Client can’t connect to the Password Server, it will wait the specified number of seconds before retrying the connection.

Password Reset Retry Limit – The maximum number of times a password reset attempt will be retried.  If there are problems preventing the password from being reset, the request will be discard after the specified number of attempts.

Testing the Password Synchronization

After you have saved the configuration and stopped/started the service, you should review the Log tab on the Password and Client server admin applications.  The Password Server Admin log should look similar to:

New Log File

[2014/10/10 15:27:19.6] Loading config from C:\Program Files (x86)\Kaseya\PasswordServerService\service.cfg

[2014/10/10 15:27:22.6] Connected an Msol powershell session.

[2014/10/10 15:27:22.6] PasswordServerService v1.3.5381.27208 Compiled 9/25/2014 4:06:56 PM Copyright © Kaseya 2014

[2014/10/10 15:27:22.6] Started

[2014/10/10 15:27:22.6] Listen thread running

[2014/10/10 15:27:22.6] Binding to: []

[2014/10/10 15:27:22.6] Listening for connections on local End point:

The Client Server Admin log should look similar to:

New Log File

[2014/10/10 15:29:05.8339742] Starting

[2014/10/10 15:29:05.8419791] Loaded Database: C:\Program Files\Kaseya\PasswordClientService\statedb.txt

[2014/10/10 15:29:05.9099713] PasswordClientService v1.2.5381.26810 Compiled 9/25/2014 3:53:40 PM Copyright © Kaseya 2014

[2014/10/10 15:29:05.9119708] Started

Next, you’ll need to reset the password on a user account.  It’s important to note that the way the application matches the source user to the Office 365 is based on the mail attribute on the user account.  The mail attribute is visible on the General Tab of the User Properties in the Email field.  So ensure the email address of the account exists in Office 365.  After you reset the password on the account, review the Password Client Log tab for the results.  If all is successful, you should see similar log entries to:

Password Server Log:

New Log File

[2014/10/10 15:34:06.0]  < > Socket accepted.

[2014/10/10 15:34:06.0]  < > network protocol: DIRECT

[2014/10/10 15:34:06.0]  < >  { } Got password change request.

[2014/10/10 15:34:09.6]  < >  { } Set Password Result: OK

[2014/10/10 15:34:09.6]  < >  { } Sent Response: OK

[2014/10/10 15:34:10.6]  < > Socket Closed

[2014/10/10 15:34:10.6]  < > Benchmark: Total:00:00:04.5312780 Work:00:00:03.5156495 Wait:00:00:01.0156285

Password Client Log

New Log File

[2014/10/10 15:34:05.9170422] Processing password change request.

[2014/10/10 15:34:05.9170422] Processing change request for ChadTesting3

[2014/10/10 15:34:06.0264194] Got mail from LDAP:

[2014/10/10 15:34:06.0264194] Connecting to [ localhost:13746 ]

[2014/10/10 15:34:06.0264194] Connected to

[2014/10/10 15:34:06.0264194] Sending Request: 176 Bytes

[2014/10/10 15:34:09.6201016] Deleting interop file.

[2014/10/10 15:34:09.6201016] OK: Password reset success.

It’s recommended you repeat this procedure on each DC to ensure the client is properly functioning on each DC.

If nothing is logged in the Password Client logs after a Password is reset (and the Password Client Service is started), then chances are the Domain Controllers were not rebooted after the installation of the Password Client Service.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.