The AuthAnvil Password Server supports synchronizing certain types of passwords that are stored in public vaults, namely Standalone Windows Passwords, Remote Windows Passwords, and Active Directory Passwords. Passwords for Windows Scheduled Tasks and Windows Services can also be synchronized by using these types of passwords in Sync Chains - covered in the next section.
To synchronize one of these types of passwords, simply open up the synchronization tab when you are creating or managing the password and select "Enable Synchronization". You also have the option to have the password automatically changed when it expires. Next, choose the sync agent that you would like to perform the password change. If this is a Windows password, select a sync agent on the same network or domain. For web passwords, make sure the sync agent has internet access. Then click "Save Changes".
Note: For Standalone Windows Passwords, the Sync Agent must be on the same machine as the password being synchronized. For Remote Windows Passwords, the sync agent simply has to be on the same network as the target machine, but it requires an elevated Linked Credential to connect to the target machine. Active Directory Windows Passwords just need to be on a domain member machine.
Note: For Remote Windows Passwords, the target machine's firewall must have the appropriate ports open for remote management via WMI, as described in this MSDN article and, if it is running Windows Vista or later, must have the LocalAccountTokenFilterPolicy set as described in this Microsoft KB article.
Note: For Windows Service Passwords, you must use the Service Name of the service rather than the Display Name. Right-click the service and go to Properties to verify the Service Name.
The AuthAnvil Password Server will test that it has the correct password stored the next time that the sync agent checks in, and will then keep the password synchronized with the password that is configured with the vault, based on vault policy. Each day, the AuthAnvil Password Server will verify that all synchronized password records are still in sync with the respective Windows user accounts. For any sync agents that synchronize passwords on remote machines, the machines must be online and available on the network at this time, otherwise the sync test will fail, and the password will be marked as "Out of Sync." See the Out of Sync Passwords section later in this document for more information.
Sync Chains
Sync Chains allow a user to define a series of passwords that need to be kept in sync. A common example is when you change a password for an administrative user account. If that user account has scheduled tasks that run using its credentials, the stored credentials used by the scheduled task must also be updated when the password is synchronized. That's where sync chains come in.
To set up a sync chain, you simply enable synchronization for a password and choose a Sync Agent to synchronize against. You can then add links to the Sync Chain. The "Default Sync" link is always first, and represents the synchronization against the target specified in the "General Settings" panel. Other links are processed in order and represent various local passwords, domain passwords, remote passwords, task passwords and service passwords. Depending on the link, you will have to specify the relevant information, such as the username of the user to synchronize and machine, domain, device, or task-specific information.
For example, in a computer lab where each machine is domain joined, you may want to synchronize all of the local administrator accounts to a single password. This is the perfect scenario for a sync chain. You would install a sync agent on one of the machines in the lab and set up a Standalone Windows Password for the local Administrator account on that machine. Then, in the sync chain, you would set up a "Remote Password" link for each machine in the lab, specifying the machine name and the username to synchronize. The vault will test to make sure that the passwords are initially in sync, and then synchronize all of them against the same password each time it changes in the vault.
Note: Remote Windows Passwords, Task Passwords, and Service Passwords require a linked credential to be configured for the Sync Agent. See the Sync Agents section for more details.
Sync States
Every password has a status to let users know how the password is being synchronized. This tells the user whether the password is synced or not, if it can be synced, or if it is in the process of being synced. A sync state can be found under the "Sync Status" column for a password. Here is a list of sync states and their meanings:
- Not Synced – A password that has not been configured for synchronization
- Pending Sync – A sync agent is in the process of either testing the password or changing it to a jnew value
- In Sync – The current password is synchronized and tested against the target login
- Out of Sync – The current password was unable to be validated, or did not log in correctly
- Unsyncable – The Web Workflow on this password has no validation steps, so it cannot be verified as the proper password. Launch permissions can still be configured for Single Sign On access to this application
- Change not Configured – This web password was changed, but there are no workflow steps to update this password on the website. It will have to be manually updated on the website, then you can retry the sync.
Out of Sync Passwords
Occasionally, a password will get out of sync with the vault. This can happen because of an incorrect password stored in the Password Server, a changed password on the Windows / website level, or a failed change due to a bad connection or password complexity. The AuthAnvil Password Server will alert vault owners with an email that the password needs an administrative override. When the vault owner logs in, they will have a task on their task list that a password sync failed and that and administrative override is required in order to force the sync. You can see passwords "Sync Issues" on your Task List in the Dashboard:
On this page, the vault owner needs to enter administrative credentials for the system in question, along with a new password for the account, and click the "Approve" button so that the AuthAnvil Password Server can bring the password back into sync. Users can also click the "Retest Sync" button to send the sync instruction again. This is useful if the target machine was temporarily unavailable during the last synchronization attempt.
Questions?
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.