This article explains how to troubleshoot password synchronization issues.
1 How password sync works
- Password changes are caught by a password filter installed on each source domain controller.
- Once captured, it is sent, encrypted, to the CloudAnywhere server.
- When the CloudAnywhere server receives a password change request, it looks up its database and verifies if the source account exists.
- If so, it finds the target that the source object is linked to.
- The password is propagated to the targets where password synchronization is enabled.
2.1 Checking the source domain controller
When a user changes a password, the password change occurs in a domain controller.
First, determine on which domain controller the password change occured (look for the event logs on the domain controllers).
Once you have determined the domain controller that processed the password change, open the event log on this DC. Every time a password change is caught by the CloudAnywhere agent, it records and event in the event log.
If no event is recorded, the CloudAnywhere agent service has not been started or the password change did not occur on this DC.
2.2 Error connecting to Gateway
If the event log shows the error “Error connecting to Gateway”, there is a problem of communication between the domain controller and the CloudAnywhere server.
2.2.1 CloudAnywhere service
On the CloudAnywhere server, check that the password listening port is set correctly:
By default, it’s port 9090.
Then verify that the CloudAnywhere server service is listening on port 9090.
- Open a command prompt on the CloudAnywhere server;
- Type netstat –a;
- Verify that it is listening on the configured port.
If it is not listening to the port, it is because the service has not been started, or because the service account doesn’t have permissions to access the SQL database.
2.2.2 CloudAnywhere password sync agent configuration
Once you have confirmed that CloudAnywhere is listening for password changes, verify that the CloudAnywhere password sync agent (on the DC) is correctly configured to send password changes to the correct IP and port.
The configuration of the password sync agent is stored in each DC in the registry in HKLM\Software\cloudiway\CloudAnywhere\Preferences
Verify that the correct server name or IP address and port is entered.
2.2.3 Error connecting to Gateway
If you’re still receiving the “Error connecting to Gateway” events, there is probably a firewall issue between the domain controller and the CloudAnywhere server.
Check with your network team for the best way to troubleshoot this issue.
2.2.4 Passwords are received but not pushed
When the password change is received by the CloudAnywhere service, it records an event in the CloudAnywhere log.
If no password is pushed:
- 1. Verify if the source account exists in the CloudAnywhere database.
- If it’s not present, either:
- it’s not been synchronized; OR,
- it’s filtered.
- If it’s present in the database.
- Verify if it’s linked to target objects.
- There should be a link icon showing that it is linked.
- The right pane should display all the target objects it is linked to.
- If it’s not present, either:
If the source object is linked to a target object, verify if the target connector is configured to synchronize passwords:
Finally, check the logs to see if specific errors are recorded (for example, insufficent password complexity, etc…).