Share via


Event ID 8245 — Windows to UNIX Password Synchronization Service -- Run-time Issues

Applies To: Windows Server 2008

Windows to UNIX Password Synchronization Service -- Run-time Issues indicates the functionality of Windows to UNIX password synchronization operations.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Event Details

Product: Windows Identity Management for UNIX
ID: 8245
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_PSWD_CHANGE_PROP_NOT_DONE
Message: Password propagation failed. Either default encryption key is configured or no UNIX hosts are configured to propagate passwords.

Resolve

Check best practices for Password Synchronization

This error typically originates in the UNIX environment. Make certain that Password Synchronization has been configured in accordance with guidelines in Best practices for Password Synchronization, an excerpt of which follows in this topic. In particular, password policies in both the Windows and UNIX environments should have similar restrictions, and minimum requirements for character length and complexity of passwords should be as closely matched as possible.

Best Practices for Password Synchronization

  • Ensure consistent password policies If you are providing only for one-way password synchronization, make sure that the password policy on the computer from which passwords will be synchronized is at least as restrictive in all areas as the policy on the computer to which passwords will by synchronized. For example, if you configure Windows-to-UNIX synchronization, the Windows password policy must be at least as restrictive as the policy of the UNIX computers with which it will synchronize passwords. If you are supporting two-way synchronization, the password policies must be equally restrictive on both systems. Failure to ensure that password policies are consistent can result in synchronization failure when a user changes a password on the less restrictive system, or the password might be changed on the more restrictive system even though it does not conform to the system's policies. Also make sure that Windows users are aware of any special password restrictions on the UNIX systems with which their passwords will be synchronized. For example, some versions of UNIX support a maximum password length of eight characters. For maximum compatibility with the default Windows password policy and these UNIX limitations, passwords should be seven or eight characters long unless you are sure that all UNIX systems can support longer passwords.

Verify

Retry Windows to UNIX password synchronization for failed user password changes to verify that it is operational. Password Synchronization is fully operational when the password synchronization succeeds, and operating under warning conditions if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the Windows to UNIX Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

Windows to UNIX Password Synchronization Service -- Run-time Issues

Identity Management for UNIX