Knowledge Base

Specops Password Sync Server service uses a self-signed certificate to encrypt traffic sent to it by the Password Sync Notifier Filter Service on your domain controllers. This certificate should be renewed prior to expiration in order to prevent communication issues between the domain controller notifiers and the sync server.

Identify the Certificate Currently In Use

In order to check the certificate currently in use today, open the Sync Server configuration file C:\Program Files\Specopssoft\Specops Password Sync\ServerPasswordSync.Server.exe.config. Look for the serviceCertificate XML tag and its findValue parameter, e.g.

The value of this parameter indicates the thumbprint of the certificate currently in use. Check the computer account personal certificate store for the corresponding certificate. To find the certificate via an admin PowerShell:

dir cert:\localmachine\my\<certificatethumbprint> | fl

Substituting <certificatethumbprint> with the value from the config file, e.g.

The certificate subject should match the FQDN of the server; the certificate dates should also be valid for the current date. If the certificate has expired it must be renewed.

Install A New Certificate

A new self-signed certificate can be created through any means available; our only requirement is that the certificate subject matches the FQDN of the Password Sync server. The following PowerShell command creates the appropriate certificate good for five years:

New-SelfSignedCertificate -Subject "$env:computername.$env:userdnsdomain" -NotAfter (Get-Date).AddYears(5)

The command will create the cert and output the thumbprint. Next, open notepad as an administrator and edit the config file C:\Program Files\Specopssoft\Specops Password Sync Server\PasswordSync.Server.exe.config to update it with the new certificate thumbprint.

Warning: be sure to back up the configuration file before making any changes.

Save the config file, then restart the Specops Password Sync Server service for the change to take effect.