Share via


Event ID 8227 — UNIX to Windows Password Synchronization -- Configuration Issues

Applies To: Windows Server 2008

UNIX to Windows Password Synchronization -- Configuration Issues indicates the completeness or usability of settings that are configured for UNIX to Windows password synchronization.

When Password Synchronization is properly configured for UNIX to Windows synchronization, and the synchronization service is available, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password (provided that encryption keys across the Windows and UNIX environments match), and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.

Event Details

Product: Windows Identity Management for UNIX
ID: 8227
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_ERROR_DECRYPTING
Message: Error decrypting the password or property changes.

Resolve

Check for encrypytion key mismatch

This error can occur if the encryption key length is not the same in both the UNIX and Windows environments. Check the encryption key identified in sso.conf (for the UNIX host) and in the Identity Management for UNIX management console (on the Windows-based computer). Both encryption key entries should be identical for successful password synchronization.

The password can be successfully decrypted only if Password Synchronization and the SSOD or PAM module use the same encryption key to encrypt and decrypt the password. Before installing the SSOD on any UNIX computer, you must first set the default encryption key. You must then specify the same key in the sso.conf file when you install the SSOD on each UNIX host. This will ensure that Password Synchronization and the SSOD on the UNIX hosts will use the same encryption key.

Setting the default encryption key

Important

This setting affects the default encryption key for UNIX hosts when they are added for synchronization, as well as the port used for UNIX-to-Windows synchronization. If you change this setting, you must edit the SYNC_HOSTS entry in the /etc/sso.conf file to specify the same encryption key on UNIX hosts that are configured for UNIX-to-Windows password synchronization with the computer on which you complete this procedure.

To set the default encryption key:

  1. Open the Identity Management for UNIX management console by clicking Start, pointing to Administrative Tools, and then clicking Microsoft Identity Management for UNIX.

    You can also open the Identity Management for UNIX management console from within Server Manager, by expanding Roles and then Active Directory Domain Services in the hierarchy pane, and then selecting Microsoft Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. In the hierarchy pane, click Password Synchronization, and then do one of the following.

    • Right-click Password Synchronization, and then click Properties.
    • Click Properties in the Actions pane.
    • On the Action menu, click Properties.
  4. In the Encryption and decryption key area of the General tab, enter a key you want to use, or click Generate key to have Password Synchronization create a new key for you.

    For maximum security, you should use a key that is the maximum 21 characters in length.

  5. To save your changes, click Apply.

Make sure that encryption keys match in sso.conf

To make sure that encryption keys match in sso.conf:

  1. Before editing sso.conf, save a backup copy to a convenient location.

  2. On the computer running Windows Server 2008, open /etc/sso.conf by using a text editor, such as Notepad.

  3. In the sso.conf file, search for the SYNC_HOSTS entry.

  4. Make sure that the encryption keys specified for any Windows-based servers running Password Synchronization are identical to those configured in the Password Synchronization UI, described in the preceding procedure.

    SYNC_HOSTS=( domainController[, portNumber [, encryptionKey]]) ...

    Each entry in the list must be enclosed by parentheses and separated from the next entry by a blank space.

  5. Save your changes and close sso.conf.

Verify

Retry UNIX to Windows password synchronization for any failed user password change attempts to verify that it is operating normally. Password Synchronization is operating normally when the password synchronization succeeds, and operating under warning conditions if synchronization fails for some passwords but succeeds for others.

UNIX to Windows Password Synchronization -- Configuration Issues

Identity Management for UNIX