Troubleshooting Password Synchronization
Applies To: Windows Server 2008
Troubleshooting
What trouble are you having?
User cannot log on to UNIX system after changing Windows password
Passwords fail to synchronize in a Windows domain, seemingly at random
User's password is changed on some, but not all, computers
Error ID 4104 is recorded in the event log for a system account, which usually has a name ending with a dollar sign ($)
An error message about the encryption key is recorded in Event Viewer after Password Synchronization installation completes
I cannot stop the single sign-on daemon (SSOD) using kill -TERM on Linux
User cannot log on to UNIX system after changing Windows password
Cause: Windows does not report a problem if an attempt to synchronize a UNIX password with a new Windows password fails.
Solution: Check the Windows event log to determine why the attempt to change the password on the UNIX system failed.
Passwords fail to synchronize in a Windows domain, seemingly at random
Cause: Password Synchronization is not configured identically on all domain controllers in the domain. As a result, if a nonconforming domain controller accepts a user's password change, it might not be able to change the password on UNIX computers.
Solution: Ensure that Password Synchronization is configured identically on all domain controllers, particularly host settings and default settings for encryption keys and ports.
User's password is changed on some, but not all, computers
Cause: Password policies are more restrictive on some computers, user names do not match between Windows and UNIX computers, or the user changed the password on a UNIX computer when two-way synchronization is not set up.
Solution: Ensure that password policies on Windows and UNIX computers that synchronize passwords are similar. Otherwise, if the user changes the password on the less restrictive computer, the more restrictive system might not accept the new password. Password policies that govern minimum and maximum length, character case and alphanumeric mix, expiration, and reuse must be as close as possible between Windows and UNIX computers that synchronize passwords. Also, Windows and UNIX system administrators must ensure that that user names, including case, are identical on the Windows and UNIX computers.
Error ID 4104 is recorded in the event log for a system account, which usually has a name ending with a dollar sign ($)
Cause: This error does not indicate a problem. It is logged when a backup domain controller or domain member server resets its secure channel with the domain. When this happens, the server password is also reset. Password Synchronization intercepts these password change requests; because they are for computer accounts rather than for user or group accounts, Password Synchronization logs error number 4104.
Solution: No corrective measures are necessary.
An error message about the encryption key is recorded in Event Viewer after Password Synchronization installation completes
Cause: This error does not indicate a problem; it is a reminder for the Password Synchronization administrator to change the default encryption key. Changing the default encryption key is a security best practice for Password Synchronization, and helps prevent unauthorized users from obtaining passwords. Typically, the description text of this error message is "Default encryption key is insecure. Please generate new encryption key." For more information about best practices, see Best Practices for Password Synchronization.
Solution: Set a new encryption key by using the procedure in the topic Setting the password encryption key.
I cannot stop the single sign-on daemon (SSOD) using kill -TERM on Linux
Cause: This is a known limitation.
Solution: Use kill 9 SSOD_PID instead.