When synchronizing passwords with
The PSA component provides password synchronization between directories that support differing password storage schemes. The PSA immediately hashes the password with a 160-bit salted secure hash algorithm and erases the memory where the clear-text password was stored. The component only transmits data over a secure (SSL) connection, and follows Microsoft's security guidelines when handling clear-text passwords. The PSA also uses Microsoft Windows password filters, which are part of the local security authority (LSA) process. The password filters enable implementing password policy validation and change notification mechanisms. For more information, see Microsoft's product documentation.
The default password hashing algorithm is SSHA256. To change the algorithm,
create a registry key in the Windows registry under
PASSWORD_HASHING_ALGORITHM. The options are SSHA,
SSHA1, SSHA256, SSHA384, and SSHA512.
For outbound password synchronization from a PingDirectory server to
The PSA supports failover between servers. It caches the hashed password changes in a local database until it can be guaranteed that all PingDataSync servers in the topology have received them. The failover features enable any or all of the PingDataSync servers to be taken offline without losing any password changes from Active Directory.
The PSA is safe to leave running on a domain controller indefinitely. To stop
synchronizing passwords, remove the
- The PSA pre-encodes all passwords with a one-way salted SHA-256 hash before uploading them to PingDataSync. Password changes from Active Directory can only be synchronized to destinations that support setting pre-encoded passwords. Currently, pre-encoded password synchronization is limited to PingDirectory, DSEE, Oracle OUD, and OpenDJ. Active Directory explicitly does not allow for the synchronization of pre-encoded passwords.
- Syncing a pre-encoded password to PingDirectory skips password validation.
- Unlike the changelog password encryption plugin, the PSA never has access to a decryptable version of the password, so it cannot sync it to any source that doesn't support pre-encoded passwords, such as Active Directory.
- The Active Directory Sync Destination drops any passwords it can't decrypt without logging anything about the dropped change.
- Password syncing to Active Directory from either PingDirectory or Active Directory is not possible.
- Make sure that the Active Directory domain controller has SSL enabled and running.
- Make sure the PingDataSync servers are configured to accept SSL connections when communicating with the Active Directory host.
- At least one Active Directory Sync Source (ADSyncSource) needs to be configured on PingDataSync and should point to the domain controller(s) on which the PSA will reside.
- At the time of installation, all PingDataSync servers in the sync topology must be online and available.
- The PSA component is for outbound-only password synchronization from the Active Directory Systems. It is not necessary if performing a one-way password synchronization from the PingDirectory server to the Active Directory server.