Follow

Office 365 Password Sync Troubleshooting Guide - New Version

Password Synchronization Common Issues and Questions

This page is the starting point for troubleshooting Password Synchronization Issues and Contains answers for many common questions.

Reboot the Domain Controllers

The first place to begin troubleshooting password synchronization issues is on the Domain Controller(s) the Password Sync Client is installed on.  If you change a password on that domain controller and nothing is written to the Password Client log file then:

1. Make sure the Password Client Service is running.  It is listed in services.msc as Kaseya Password Client Service.

2. Make sure the domain controller was rebooted after installing the Password Client.  This is a requirement for the Password Client as the DLL used to capture the Password can only be loaded at system startup.

Ensure the Office 365 PowerShell Module is Installed and Working

One of the most frequent problems is the Office 365 PowerShell Module is not installed, or it cannot connect to Office 365 on the server that is running the Password Server Service.

You can download the module here:

Install the Office 365 cmdlets

To test that the module is installed, open a PowerShell window on the Password Server and run:

import-module msonline

If you don’t get an error, then it’s installed properly.  Next run:

connect-msolservice

Type in your credentials when prompted.  If you get connected, you could run the following command to ensure that you are connected properly:

get-msoluser -MaxResults 10

If you are unable to get connected, then it’s typically a problem with a firewall/proxy.

If you get an authentication error, one thing to try is uninstalling and reinstalling the Sign in Assistant, as we have seen that clear up authentication issues with the module.

Ensure the Matching Attribute in AD matches the Identity in Office 365

If you are receiving errors about the user not being found in Office 365, ensure the matching attribute in Active Directory matches the Identity in Office 365.  When configuring the Password Client on the Domain controllers, in the LDAP Server area you can specify the matching attribute as either the mail or userprincipalname.  Which ever value is chosen should be populated in the local Active Directory and match the identity in Office 365.

Frequently Asked Questions

Can the Server Service and Client Service be installed on the same server?

Yes.  The only requirement is the Server Service requires a Windows 2008 R2 or Windows 2012 server.  So if you have a domain controller running Windows 2008 R2 or Windows 2012, both components could be installed.

Can I Synchronize the Existing User Passwords to Office 365?

No, the Passwords are only synchronized when they are changed.  During a migration, you could force the users to change their password at next login in the Active Directory, which would then sync to Office 365.  They would then sign into Office 365 using their new password.

Do I need to install the Password Client on all DCs?

Yes.  When a user changes their password, that change could hit any DC in the domain so the client must be installed on all.  The exceptions would be Read Only DCs and domains which don’t have any users, such as an empty forest root domain.

How does the application match the Active Directory user to the Office 365 User?

On the password client, you have the option of selecting the Matching Attribute.  It can either be the mail attribute or the UPN value.  If you open the Password Client Admin application on the DC and go to the Config tab, you’ll see an option which allows you to select the attribute.  If you make the change, just save the config, stop and start the service.

Is Directory Synchronization Required?

No.  We match the AD accounts to the Office 365 User based on the matching attribute configured on the Password Client Admin.

How is Password Complexity Handled?

Kaseya Password Sync does not enforce password complexity.  It simply takes the password and passes it to Office 365.  Office 365 then verifies the complexity.

Can I create an LDAP Filter Based on OU?

No, Active Directory does not support filtering based on OU.  An alternative is to create a group and which contains members of the OU and uses the memberof attribute in Active Directory.

Enable Debug Logging

If you are having problems with the Password Server Admin which are not addressed in the documentation or support pages, it may be necessary to enable Debug Logging on the Password Server Service.  Follow the steps below to enable Debug Logging.

PasswordComplexity.png

Save the Config, Stop the Service, and Start Service.

The log file should look like this. 

!!!! NOTE THIS WILL OUTPUT THE PASSWORDS IN CLEAR TEXT !!!

[2014/10/10 15:55:06.1] Loading config from C:\Program Files (x86)\Kaseya\PasswordServerService\service.cfg

[2014/10/10 15:55:06.4] Import-Module msonline; Connect-MsolService;

[2014/10/10 15:55:08.5] There is a newer version of the Microsoft Online Services Module.  Your current version will still work as expected, however the latest version can be downloaded at https://portal.microsoftonline.com.

[2014/10/10 15:55:08.5] Connected an Msol powershell session.

[2014/10/10 15:55:08.5] Listen thread running

[2014/10/10 15:55:08.5] PasswordServerService v1.3.5380.19546 Compiled 9/24/2014 11:51:32 AM Copyright © Kaseya 2014

[2014/10/10 15:55:08.5] Started

[2014/10/10 15:55:08.5] Binding to: [0.0.0.0:13746]

[2014/10/10 15:55:08.5] Listening for connections on local End point: 0.0.0.0:13746

[2014/10/10 15:55:41.1]  < 127.0.0.1:55236 > Socket accepted.

[2014/10/10 15:55:41.1]  < 127.0.0.1:55236 > network protocol: DIRECT

[2014/10/10 15:55:41.1]  < 127.0.0.1:55236 >  { chadtesting3@messageops.com } Got password change request.

[2014/10/10 15:55:41.1]  < 127.0.0.1:55236 >  { chadtesting3@messageops.com } upn: 'chadtesting3@messageops.com', pw: 'Password#1000!'

[2014/10/10 15:55:41.1] $u = Set-MsolUserPassword -ForceChangePassword $False -UserPrincipalName chadtesting3@messageops.com -NewPassword ********

[2014/10/10 15:55:42.2]  < 127.0.0.1:55236 >  { chadtesting3@messageops.com } Set Password Result: OK

[2014/10/10 15:55:42.2]  < 127.0.0.1:55236 >  { chadtesting3@messageops.com } Sent Response: OK

[2014/10/10 15:55:43.3]  < 127.0.0.1:55236 > Socket Closed

[2014/10/10 15:55:43.3]  < 127.0.0.1:55236 > Benchmark: Total:00:00:02.1720487 Work:00:00:01.1562601 Wait:00:00:01.0157886

Please provide this log file to Kaseya Support.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.