Event ID 12288 — UNIX to Windows Password Synchronization Service -- Run-time Issues

  • Article

Applies To: Windows Server 2008 R2

UNIX to Windows Password Synchronization Service -- Run-time Issues indicates the functionality of UNIX to Windows password synchronization operations.

When Password Synchronization is configured for UNIX to Windows synchronization, and UNIX to Windows synchronization is functioning normally, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.

Event Details

Product: Windows Identity Management for UNIX
ID: 12288
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_INVALID_USER_WARN
Message: Password change request rejected for an account that was not valid. %rAccount = %1

Resolve

Make sure that the user account is valid

A password change request failed because it applied to a user account that is either not valid or does not exist. Verify that the user exists, and that the account is not locked, disabled, or expired.

You can verify that the UNIX-based computer has been added to the list of UNIX-based computers participating in password synchronization by completing the following procedure.

Verify that a UNIX-based computer has been added for synchronization

To verify that a UNIX-based computer has been added for synchronization:

  1. Open the Identity Management for UNIX management console by clicking Start, pointing to Administrative Tools, and then clicking Microsoft Identity Management for UNIX.

    You can also open the Identity Management for UNIX management console from within Server Manager, by expanding Roles and then Active Directory Domain Services in the hierarchy pane, and then selecting Microsoft Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. In the hierarchy pane, under the Password Synchronization node, click UNIX Computers.

  4. In the results pane, look for the UNIX-based computer on which the user whose account is showing as not valid in the error message is logged.

  5. If the computer is not found, add the UNIX-based computer by continuing on to the next step. If the computer is listed in the results pane, go on to the next procedure, "Check sso.conf for the missing user account."

  6. In the hierarchy pane, under the Password Synchronization node, click UNIX Computers, and then do one of the following.

    • Right-click UNIX Computers, and then click Add Computer.
    • Click Add Computer in the Actions pane.
    • On the Action menu, click Add Computer.

  7. In the Computer name text box of the Add Computer dialog box, provide the name or IP address of a UNIX-based computer.

  8. In the Direction of password synchronization area, select the direction of password synchronization for this computer.

  9. If necessary, specify a different encryption key than the default key, or click Generate key to have Password Synchronization generate a new key for synchronization with this computer.

  10. If necessary, change the port number this computer monitors for password changes. The default is 6677. Click OK.

Check sso.conf for the missing user account

To check sso.conf for a missing user account

  1. Before editing sso.conf, save a backup copy to a convenient location.
  2. On the computer running Windows Server 2008, open /etc/sso.conf by using a text editor, such as Notepad.
  3. In the sso.conf file, search for the SYNC_USERS entry.
  4. Make sure that the user who is attempting to change passwords has been added to the list of users in SYNC_USERS.
    • If a minus sign (-) has been added before the user's name, this prevents the user's password changes from being synchronized.
    • If a plus sign (+) has been added before any other user names in SYNC_USERS, but not before the name of the user who is having the password change difficulties, this prevents users who do not have the + character in front of their names from participating in password synchronization.
  5. If the user has not been added to the list in SYNC_USERS, add the user's account name.
  6. Remove minus signs or plus signs as described in preceding steps to allow the user to participate in password synchronization.
  7. Save your changes and close sso.conf.

Verify

To verify the functional state of UNIX to Windows password synchronization, retry UNIX to Windows password synchronization. UNIX to Windows password synchronization is fully operational when the password synchronization succeeds, and functioning with warning conditions present if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the UNIX to Windows Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

UNIX to Windows Password Synchronization Service -- Run-time Issues

Identity Management for UNIX