Advanced Administration

The content below is intended for administrators who want to better understand the ways in which the Specops Password Sync components interact, and how to best configure the system in different types of environments.

Components

Specops Password Sync consists of the following components. The overview below shows the communication between the components when completing a password synchronization.

Specops Password Change Notifier

The Specops Password Change Notifier responds to successful password changes performed by the domain controller and sends a password synchronization requests to the Sync Server. The Password Change Notifier must be installed on all Domain Controllers that handle password change requests.

Note: It is best to have the Password Change Notifier on all Domain Controllers, but only the Domain Controllers that handle password change requests will require the notifier.

The Specops Password Change Notifier contains the following sub components:

  • Notifier Filter
  • Notifier Service

Notifier Filter

The Notifier Filter intercepts password changes on the Domain Controller. When a successful password change is detected, the Notifier Filter will perform the following security validations:

  • Verify Privileged Groups: Users with the adminCount user object property set to 1 in Active Directory (Domain Admins, Schema Admins, etc) are filtered out and will not have their passwords synchronized. An event will be written to the log every time a password synchronization job for a protected user is detected.

Note: You can enable password synchronization for privileged groups from the Change Notifier registry settings. For more information, see the Specops Password Sync Administration Guide.

  • Verify the Scope of Management: Every Sync Scope must have at least one User Scope of Management configured.

Note: If a Group Policy that affects a user is linked outside of the scope, it will result in the password not being synchronized, and an event log entry written on the domain controller.

  • Verify the configured Sync Servers: The Notifier Filter verifies the Sync Server(s) configured with a specific sync point. This prevents a rogue administrator from replacing an approved sync server with one they can control. This prevents rogue administrators from circumventing the core security of the system.

Once the security verifications have been completed, a password change request file will be created for each configured Sync Point. The password is encrypted with the Windows Data Protection (DPAPI) mechanism using the System credentials of the Domain Controller. This means that only the Domain Controller can decrypt the password. The default path to the job queue is:

%SystemRoot%\System32\SpecopsPasswordSync\Queues

Note:

  • The path to the job queue is on the Domain Controller.
  • Only the Local System has permissions to access this location.

Notifier Service

The Specops Password Change Notifier Service will pick up the password change request file from the queue folder, and get the correct Sync Server from Active Directory. The Notifier Service runs in the security context of the Domain Controller and is able to decrypt the password. The Notifier Service will try to set up an encrypted SSL session with the primary Sync Server for the Sync Point. If this fails, the secondary Sync Server is contacted. When the session is established, the identity of the remote Sync Server Service is verified using Kerberos Mutual Authentication to verify that the remote computer is the computer configured in Active Directory. The password change request is passed to the Sync Server through the secure encrypted channel. Once a successful communication attempt is made, the local encrypted password change request file is deleted from the queue folder.

Specops Password Sync Server

The Specops Password Sync Server synchronizes new passwords to connected systems.

The Specops Password Sync Notifier connects to and sends password change requests to the Specops Password Sync Server over an SSL connection on port 4377. When a Sync Server is contacted by the Notifier, the Sync Server verifies that the connecting computer is the correct Domain Controller using Kerberos Mutual authentication. When the request is validated, the password is encrypted with the system credentials DPAPI and added to the SQL CE database located in:

%LocalAppData%\Specops Password Sync\SpecopsPasswordSync.sdf

Note: Only the Local System can decrypt the information.

The Specops Password Sync Server uses a Specops Password Sync Provider to contact the target systems configured in the Sync Point and performs the password synchronization. Once the password has been synchronized, the encrypted entry in the database is removed. If the synchronization is not successful, the Specops Password Sync Server will continue trying until it has reached the retry attempt. If all retries have failed, the encrypted password will be removed.

Sync Server TCP IP Ports

The Sync Server uses two ports for communication on the internal network.

Registry keyDescription
TCP/4377Password Sync job communication between the Notifier Service and the Sync Server.
TCP/4378Used when the admin tool communicates with the Sync Server.

The port settings are stored in the service configuration file “PasswordSync.Server.exe.config” in the service installation directory. You can change the port numbers by editing the following section of the file:

<service name="Specopssoft.PasswordSync.Server.HttpPasswordChangeListener" behaviorConfiguration="SpsServiceBehavior">
<add baseAddress="https://SRV01.specops.demo:4377/SPS"/>
<service name="Specopssoft.PasswordSync.Server.SyncServerAdminHost" behaviorConfiguration="DevelopmentSpsServiceBehavior">
<add baseAddress="net.tcp://SRV01.specops.demo:4378/SPS"/>

Once you have modified the port numbers, you will need to save the file and restart the Sync Server service. If you change the ports and firewalls manually, you will need to perform the changes again after an upgrade.

Active Directory Integrated Configuration Storage

Specops Password Sync uses Active Directory to store the configuration data used by the system. The settings for Specops Password Sync can be found in the System Container in the Domain. In Active Directory Users and Computers (with Advanced View enabled) or ADSI edit you can navigate to <your_domain_fqdn>/System/Specops/PasswordSync to find the storage location.

Configuration data is stored in this container and serviceConnectionPoint objects of the Password Sync Server object. Both of these items are part of the Standard Active Directory schema. By storing the information in Active Directory, the system ensures reliable operation.