Sync Provider Configuration Reference

The Sync Provider is the system you want to synchronize passwords with. Specops Password Sync ships with a number of included providers. If you want to develop your own Sync Providers for the Systems used by your organization, contact Specops support.

Below you will find the configuration specifications for the included providers.

Active Directory Provider

The Active Directory provider is used to synchronize password changes to another Active Directory domain. The other Active Directory domain can be either trusted or untrusted.

Prerequisites

  • Admin account in the remote domain.
  • Open network communication between the Sync Server and the target domain Controller. This typically means that the following two ports must be open:
    • tcp/389 (LDAP)
    • tcp/445 (SMB)

Parameters

Parameter Description
Domain or Domain Controller Name The FQDN of the remote Active Directory Domain or a Domain Controller in it.
Unlock user if locked out Automatically unlocks locked user accounts when the password is synchronized.
1: Unlock locked accounts (Default value).
0: Do not unlock locked accounts.
Admin User Name The name of the admin account used to reset passwords in the remote domain.
Example: Example\Administrator
Provider Password The password of the admin account.

Microsoft Entra ID provider

The Microsoft Entra ID provider is used to synchronize passwords to Microsoft Entra ID.

Parameters

Parameter Description Optional
Graph API Version Version of the Microsoft Graph API Yes
Client ID Application (client) ID No
Tenant ID Directory (tenant) ID No
Provider Password Client Secret value No

Configuring an app in Microsoft Entra ID

  1. Login to https://entra.microsoft.com/
  2. Click on Microsoft Entra ID. This should bring you to your org's directory.
  3. Click on App Registrations.
  4. Click on New registration.
  5. Enter a name for the app in the Name field.
  6. Using the radio buttons, select the supported account type (Single Tenant or Multitenant)
  7. Click on Register. In the following app summary screen, under the Essentials section, make a note (copy) of the Application (client) ID and the Directory (tenant) ID. These will be used when configuring the Sync Point
  8. In the left navigation of the app summary screen, click Certificates & Secrets.
  9. Click on New client secret. Enter a description and set an expiry period using the Expiry dropdown, then click Add.
  10. Copy and store the secret in the Value column for the password. This will also be used for configuring the Sync Point.
    NOTE
    Note that this value needs to be pasted in the Provider password field in the Sync Point configuration.
  11. In the Microsoft Entra ID admin center's (left-most) left navigation, click on Microsoft Entra ID, then click on Roles and administrators.
  12. In the list, click on a role that will be sufficient for resetting passwords.
    NOTE
    For an overview of roles and their permissions, please go to Working with users in Microsoft Graph. Note that the minimum required role for resetting passwords is the Password Administrator role.
  13. Click on Add assignments at the top. The Add Assignments sidebar will open on the right.
  14. In the search box, enter the registered app name, click on the app in the search result list, then click Add at the bottom.

Next steps

Having noted and saved the Application (client) ID, Directory (tenant) ID, and the Value for the secret, create a new Sync Point with the Microsoft Entra ID Provider. More information creating Sync Points can be found in the Administration page.

Domino provider (Notes Client)

The Domino provider is used to synchronize passwords to the Domain Internet Password.

Prerequisites

  • Notes client release 5.0.2b or later installed on the Sync Server.
  • Admin credentials present in the Notes client.
  • Open network communication from the Specops Password Sync Server to the Domino server.

Parameters

Parameter Description
Address to the Domino Server The FQDN of the Domino server.
User database The database that contains the users.
Default value: names.nsf
Database view The view in the database which contains the users.
Default value: ($VIMPeople)
Name column The name of the column in the view that contains the users.
Default value: Name

Note: For information about configuring the Domino Web Service, see Domino for Specops Password Sync.

Email Notification Provider

The email notification provider is used to trigger a customized email to be sent when the password of a user is changed. This can be used for a wide range of purposes, one of which being an SMS being sent to the mobile device of the user to remind them that they should change their Active Sync password on the device to match the new Active Directory password.

Prerequisites

  • An email server must be available to send mail from the service account used on the Sync Server.

Parameters

Parameter Description
SMTP Server Name The FQDN of the SMTP server to use when sending email.
Port The Port number on the SMTP server.
Default value: 25
From The email address the email should be sent from.
Supports placeholders.
To The email address the email should be sent to.
Supports placeholders.
Subject The subject of the email.
Supports placeholders.
Body The body text of the email.
Supports placeholders.

Placeholders

The email fields in the Email Notification provider also supports using placeholders to customize the email content. The placeholders can be used multiple times in the same field if necessary.

Placeholder Description
%User. % Retrieves values from attributes on the user object of the user who triggered the password change.
%Password% Used to include the new password in the email sent by the provider.
Note: You should only use this placeholder after verifying that the resulting action is compatible with the information security policy of your organization.

Google Apps provider

The Google apps provider is used to synchronize passwords with Google Apps.

Prerequisites

  • Access to Google Workspace
  • Internet access on the Specops Password Sync Server.

You will need to complete the below tasks as a part of the prerequisites:

Creating a Google apps service account

  1. Go to console.cloud.google.com
  2. Select your organization (top menu) and create a new project in your organization
  3. Give the project a name, check that the organization is set correctly, then click Create
  4. Go to the project you just created by clicking the You're working in link and selecting the project you just created
  5. In the hamburger menu on the left go to API & Services, then go to Credentials in the left navigation
  6. Click Create Credentials and select Service Account
  7. Give the service account a name and a description, then click Create & Continue
  8. Click Done
  9. In the Service Account section, select the service account
  10. Write down or save the Unique ID for the service account
  11. Click Advanced settings
  12. At the bottom of the page, click Configure OAuth consent screen
  13. Select the Internal radio button under User type
  14. Click Create
  15. Enter a user support email address and developer email address
  16. Click Save and contine
  17. In Scopes, click Add or remove scopes
  18. In the Manually add scopes textbox, add the following scopes:
    • https://www.googleapis.com/auth/admin.directory.user
    • https://www.googleapis.com/auth/admin.directory.user.readonly
  19. Click Add to table, then click Update
  20. Click Save and continue, then go back to Credentials and select the service account
  21. Select Keys and click the Add Key dropdown and select Create new key
  22. Select the P12 radio button, then click Create
  23. In the confirmation window, make a note of the private key password. Your Certificate should be automatically downloaded.
  24. Click Close
  25. Go to API & Services in the left navigation
  26. Select Enabled API & Services
  27. In the search field, search for Admin SDK API
  28. Click on Admin SDK API in the search results, and click Enable
  29. Go to Credentials in the left navigation and access the Permissions tab. Make sure that the Grant Access button is available

Delegating the service account

  1. Go to admin.google.com
  2. In the left navigation, select Security, then Access and Data control, then API Controls
  3. Make sure the Trust internal domain-owned apps checkbox is checked
  4. Click Manage Third Party App Access
  5. Click the Add App dropdown and select Oath App or Client ID
  6. In the search field, enter the Unique ID for your service account (saved in step 10 above), then click Search
  7. Click Select for your service account
  8. Check the checkboxes for the Client ID
  9. Click Select
  10. Under App Access select Trusted Can access all Google services
  11. Click Configure
  12. In the left navigation go to API controls
  13. Click Manage domain wide delegation
  14. Click Add New
  15. In the Client ID field, enter the Unique ID for your service account
  16. In the OAuth field, add the following entries, separated by a comma:
    • https://www.googleapis.com/auth/admin.directory.user
    • https://www.googleapis.com/auth/admin.directory.user.readonly
  17. Click Authorize

Importing the certificate on all Sync Servers running the Google App Sync Point

  1. Run MMC.exe.
  2. Select File and click Add/Remove Snap-in…
  3. Select Certificates from the available snap-ins, and click Add.
  4. Select Computer account in the Certificates snap-in dialog box, and click
  5. Ensure that Local computer is selected, and click Finish.
  6. In the Console Root window’s left pane, expand Certificates.
  7. Right-click Personal, select All Tasks, and click Import.
  8. Follow the on-screen instructions in the Certificate Import Wizard, and click Finish when complete.
    Note: In the Import options, ensure that the Mark this key as exportable is checked.
  9. In the Console Root window’s left pane, expand Certificates.
  10. Expand Personal, and click Certificates.
  11. In the list of certificates, locate and double click the newly created certificate.
  12. In the Certificate dialog box, click the Details
  13. Scroll through the list of fields, and click Thumbprint.
  14. Copy the hexadecimal characters from the box.

Configuring the Sync Point

  1. Open the Specops Password Sync Administration Tools.
  2. Click Sync Points.
  3. Select the Google App provider and click Edit.
    NOTE
    The Google App provider will only appear if the Sync point already exists.
  4. Click Select and Configure Provider.
  5. Configure the following parameters and click OK.
Parameter Description
Administrator Account Email The login account that will be used to perform the password change in your Google Apps domain.
Certificate thumbprint Certificate thumbprint for the certificate generated by Google.
Service account email address The email address of the Google apps service account ending in @developer.gservice.com

IBM Connections

The IBM Connections provider is used to synchronize passwords to IBM Connections.

Prerequisites

  • IBM Connections account with Administrator or Admin Assistant roles.

Parameters

Parameter Description
Administration account The email address associated with the IBM Connections account.
URL The URL to the IBM Connections API.
ex: https://apps.na.collabserv.com/api/bss
Provider Password The password associated with the administration account
Repeat Password The password associated with the administration account

Kerberos provider

The Kerberos provider is used to synchronize passwords to Kerberos based systems.

Prerequisites

  • Admin account with permissions to reset passwords in the Kerberos realm of the target users.
  • Open network communication from the Specops Password Sync Server to the Kerberos server.

Parameters

Parameter Description
Target Realm The Kerberos realm where the target account exists.
KDC Address The address of the Kerberos KDC to contact.
This field is optional.
Admin Realm The Kerberos realm where the administrator account exists.
Admin User Name The user name of the admin account.
Provider Password The password of the admin account.

LDAP Provider

The LDAP provider is used to synchronize passwords to remote LDAP systems, such as OpenLdap or Microsoft Active Directory Lightweight Services (AD LDS). If the target server is a full Microsoft Active Directory, the Active Directory provider should be used.

This is because the full Active Directory provider supports multiple domain controllers and also supports unlocking accounts if they are locked on the remote domain. It’s also still fully encrypted.

Prerequisites

  • Admin account in the remote system.
  • Open network communication between the Sync Server and the remote server. This typically means that one the following two ports must be open:
    • tcp/389 (non-SSL-encrypted LDAP)
    • tcp/636 (SSL-encrypted LDAP)

Parameters

Parameter Description
Server name The name of the remote LDAP server.
Port number The port number to use when contacting the remote LDAP server.
Default port: 636
Authentication Type Can be set to either of the following:
  • Basic: Uses basic authentication with username/password. Should be used for testing only.
  • BasicSsl: Uses basic authentication with username/password over SSL. This can be used in production against an OpenLDAP server. In order to use this authentication type, you need to configure the server’s certificate used, so that the sync point knows that it’s a trusted server.
  • Negotiate: Uses the best algorithm that encrypts and verifies integrity of the password changes to the LDAP server. This is used if the LDAP server is Kerberos trusted with the Sync Server in use.
Valid Certificate Thumbprint The server certificate’s thumbprint. Leaving this field empty means that any certificate will be accepted (not recommended).
To determine the server certificate thumbprint, type “xyz” as “Valid Server Certificate Thumbprint” and attempt one reset. The error message in the test tool (or the app event log) will contain the thumbprint. The
The thumbprint is a hex string and may or may not contain “:” separators in between.
Note: This setting is only applicable for Basic Ssl authentication.
Attribute Name The name of the user attribute in the LDAP system where the password is stored. This parameter is used in conjunction with “Convert to Unicode.”
Default value: unicodePwd.
Password Format Determines how the password sent to the target system should be encoded.
Possible values:
  • QuotedUnicode (Adds quotes to the password, then sends Unicode bytes to the target system. This should be used when syncing to another Microsoft Active Directory.)
  • Unicode (Sends Unicode bytes to the target system.)
  • Utf8 (Sends Utf8 bytes to the target system.)
Admin User Name User name of the admin account in the LDAP system. The user name should be in distinguished name format (CN=admin, DC=example, DC=com).
Provider Password The password of the admin account.
Target Search Identifier Attribute

By default, an absolute LDAP path is provided provided to identify the target account. If the source system lacks information about the LDAP path, it is possible to search for the target account by matching an attribute instead. This setting specifies the name of the attribute to compare with for such a search.

Name of the attribute to match in the target system. This attribute on users in the target system, must contain a unique identifier in that directory, e.g. a social security number or an employee number. That attribute in the target system will be compared with what has been configured in the Name Mapping.

WARNING
It is critically important that the attributes configured in "Name mapping settings" for the source system and the "Target Search Identifier Attribute" for the target system aren't writable by users. That would compromise security and possibly enable resetting another user's password and gain access to that account.

Used in conjunction with Target Search Roots. Note that if the identifier in the source system is a distinguished name in the target system, there is no need to configure Target Search Identifier Attribute or Target Search Roots, since the account in the target system is directly identifiable by that distinguished name.

Assume the target Directory is Active directory
NOTE
This is only used if Target Search Identifier Attribute has been configured.

Set to true if the target is Microsoft Active Directory, otherwise false. Setting to true will enforce the LDAP query to include "(objectCategory=user)(objectCategory=person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=512)"
Additional condition in LDAP search
NOTE
This is only used if Target Search Identifier Attribute has been configured.

If set, the value of this string will be AND-combined with the search for target attribute as an LDAP condition when searching for the target account. The schema depends on the LDAP target system, but could, for instance, exclude disabled accounts from the search or only search a specific department, e.g. "(&(enabled=true)(department=finance))".
Target Search Roots List of distinguished names to use as search roots when searching user in the target system by looking at the attribute specified in Target Search Identifier Attribute.

The roots must be specified as valid LDAP paths, for example LDAP://CN=users,DC=acme,DC=org. If more than one root is needed, they must be separated by semicolon (;)

Used in conjunction with Target Search Identifier Attribute.
NOTE
Specops recommends using the Active Directory provider to synchronize passwords against remote Active Directories. If you need to use the LDAP provider against Active Directory, the Admin User Name should be specified in the SAM Account Name format instead of the DN of the admin account.

Sample Configurations

Open Ldap Non-SSL (not for production use)

If the target is an OpenLdap Server configured to use basic authentication (clear text), configure with:

  • Server name: DNS name of the LDAP server
  • Port number: Typically 389
  • Authentication Type: Basic
  • AttributeName: userPassword
  • Password Format: Utf8
  • Target system is Active Directory: false

Target user should be DN-formatted (use proper name mapping).

OpenLdap SSL

If target is an OpenLdap Server configured to use SSL, configure with:

  • Server name: DNS name of the LDAP server
  • Port number: Typically 636
  • Authentication Type: BasicSsl
  • Valid Certificate Thumbprint: Hex string of server certificate’s thumbprint (40 hex digits)

Note: It is not sufficient to use a trusted certificate. The server certificate’s thumbprint must be configured in the syncpoint.

  • AttributeName: UserPassword
  • Password Format: Utf8

Active Directory Lightweight Directory Services

If the target server is an Active Directory Lightweight Services Server, configure with:

  • Server: Name of a DC
  • Port number: Typically 389
  • Authentication Type: Negotiate
  • Attribute Name: UnicodePWD
  • Password Format: QuotedUnicode

  • Admin username: Administrator (flat-name without domain)
NOTE
Target user should be DN-formatted.

Local Accounts provider

The Local Accounts provider is used to reset passwords for local user accounts on a specific computer.

Prerequisites

  • Admin account for the target computer.
  • Open network communication from the Specops Password Sync server to the target computer.

Parameters

Parameter Description
Administrator Account The user name of the admin account.
Computer Name The name of the target computer
Provider Password The password of the admin account.

Microsoft Online Services provider [Obsolete]

NOTE
The Microsoft Online Services provider is obsolete. For backwards compatibility, please use the Microsoft Entra ID provider.

The Microsoft Online Services provider is used to synchronize passwords to Microsoft Online Services, such as Office 365.

Prerequisites

  • The following Microsoft Online Services components must be installed on the Specops Password Sync Server:
  • Internet access on the Specops Password Sync Server.

Parameters

Parameter Description
Administrator Account The user name of the admin account.
Provider Password The password of the admin account.

Microsoft SQL Server provider

The Microsoft SQL Server provider is used to synchronize passwords to MS SQL server users.

Prerequisites

  • SQL Server authenticated admin account (Windows authentication is not supported).
  • SQL Server user accounts (accounts stored within custom databases are not supported).
  • Open network communication between the Specops Password Sync Server and the target MS SQL server.
  • SQL Server Management Studio Tools installed on the Sync server.

Parameters

Parameter Description
SQL Server The name of the target MS SQL Server.
Admin User Name The user name of the admin account.
Provider Password The password of the admin account.

Oracle Database provider

The Oracle Database provider is used to synchronize passwords to Oracle database users.

Prerequisites

  • The provider is designed for Oracle 11g, but may work on other versions as well.
  • Oracle admin account.
  • Oracle authenticated users
NOTE
Accounts stored within custom databases are not supported.
Parameter Description
Database Server This is the format of the data source:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)))You will need to change the value of the highlighted items above to the value of thetnsnames.ora file. You can find this file in the ORACLE HOME\NETWORK\ADMINdirectory.
The following is a sample of the tnsnames.ora file:ORACLR_CONNECTION_DATA =(DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)))(CONNECT_DATA =(SID = CLRExtProc)

(PRESENTATION = RO)

)

)

ORCL =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = SRV04.shrek.qa)(PORT = 1521))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = orcl.shrek.qa)

)

)

The data source should look like this after you have added the corresponding values from the tnsnames.ora file.

(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=

SRV04.shrek.qa)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=

orcl.shrek.qa)))
Parameter Description
Admin User Name The user name of the admin account.
Parameter Description
Provider Password The password of the admin account.

Salesforce provider

The Salesforce provider is used to synchronize passwords to Salesforce.

Prerequisites

  • Admin account in the target Salesforce.
  • Valid Salesforce security token for the admin account. The security token for the admin account should have been emailed to you when you set up your Salesforce account or the last time you reset your password. If you are unable to find this email, you will need to reset the token.

To get or reset your security token:

  1. At the top of any Salesforce page, click the down arrow next to your name. From the menu under your name, select Setupor My Settings—whichever one appears.
  2. From the left pane, select one of the following:
    • If you clicked Setup, select My Personal Information| Reset My Security Token.
    • If you clicked My Settings, select Personal| Reset My Security Token.
  3. Click the Reset Security Token The new security token is sent via email to the email address on your Salesforce user record. Keep this email. Your security token is not displayed in your settings or profile.
NOTE
This token is changed every time the password of the admin account is changed.

Parameters

Parameter Description
URL The URL to the Salesforce.com API.
Default value: https://login.salesforce.com/services/Soap/c/23.0
Admin User Name The user name of the admin account.
Provider Password The password and security token.
Ex. For example, if your password is “myPassword” and your security token is “XXXX”, you will enter “myPasswordXXXX”

SAP provider

The SAP provider is used to synchronize passwords to user accounts in SAP systems.

Prerequisites

  • Admin account in the target SAP environment.
  • SAP .Net Connector 3.0 for .Net 4.0 must be installed on the Specops Password Sync Server.
NOTE
If SAP does not show up in the list of available sync providers when setting up the scope, copy the following .dll files from the SAP.NetConnector program directory (e.g. C:\Program Files\SAP\SAP_DotNetConnector3_Net40_x64) to C:\Program Files\Specopssoft\Specops Password Sync\Server\Providers\SAP on the sync server, and then restart the service. Files to be copied:
  • libicudecnumber.dll
  • rscp4n.dll
  • sapnco.dll
  • sapnco_utils.dll

Note:

  • The SAP.Net Connector has a dependency to the Visual C++ 2010 redistributable which the SAP installer does not handle. If this component was not installed as part of another package, the provider will fail with the following error message: “Could not load file or assembly ‘sapnco_utils.dll’ or one of its dependencies. The specified module could not be found.”
  • Installing KB2365063- Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update will fix the problem.

Parameters

Parameter Description
Address to the SAP server FQDN to the SAP server where the password should be changed.
System ID The system ID in SAP (e.g. 00)
Client ID The client ID in SAP (e.g. 100)
Admin User Name The user name of the admin account
Provider Password The password of the admin account

Windows Service provider

The Windows Service provider is used to update the password used in a Windows Service when the password of the domain service account is changed. The provider will find all services running as the domain account on the target server and set the new password on them.

Prerequisites

  • Admin account on the target server.
  • Open network communication between the Specops Password Sync Server and the target server.

Parameters

Parameter Description
Administrator Account The user name of the admin account that will be used to change the password on the remote server.
Server Name The name of the target server where the service is running.
Provider Password The password of the admin account.