Sync Provider Configuration Reference

The Sync Provider is the system you want to synchronize passwords with. Specops Password Sync ships with a number of included providers. If you want to develop your own Sync Providers for the Systems used by your organization, contact Specops support.

Below you will find the configuration specifications for the included providers.

Active Directory Provider

The Active Directory provider is used to synchronize password changes to another Active Directory domain. The other Active Directory domain can be either trusted or untrusted.

Note

When performing an Active Directory to Active Directory sync, please refer to the AD to AD sync page to determine which sync provider is most suited.

Prerequisites

Admin account in the remote domain.
Open network communication between the Sync Server and the target domain Controller. This typically means that the following two ports must be open:
- tcp/389 (LDAP)
- tcp/445 (SMB)

Parameters

Parameter	Description
Domain or Domain Controller Name	The FQDN of the remote Active Directory Domain or a Domain Controller in it.
Unlock user if locked out	Automatically unlocks locked user accounts when the password is synchronized. 1: Unlock locked accounts (Default value). 0: Do not unlock locked accounts.
Admin User Name	The name of the admin account used to reset passwords in the remote domain. Example: Example\Administrator
Provider Password	The password of the admin account.

Windows LDAP sync provider

The Windows LDAP sync provider is used to synchronize passwords between two Active Directories.

Note

When performing an Active Directory to Active Directory sync, please refer to the AD to AD sync page to determine which sync provider is most suited.

More information on this provider can be found on the AD to AD sync page.

Prerequisites

Admin account on the remote system.
Ensure port 636 is open or configured otherwise. Default port for SSL-encrypted LDAP (LDAPs) is 636.
Domain controller certificate for LDAP over SSL/TLS (LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller).

Parameters

Parameter	Description
Server name	The DNS name of the remote LDAP server where password synchronization will occur.
Admin User Name	User name of the admin account in the LDAP system. The user name should be in format 'domain\sAMAccountName'.
Provider Password	The password associated with the admin account specified in the "Admin User Name" parameter.
Port number (optional)	The network port used for communication with the remote LDAP server. Default port: 636
Target Search Identifier Attribute (optional)	Specifies the attribute used to uniquely identify user accounts in the target system. This attribute must contain a unique identifier, such as a social security number or an employee ID.
Target Search Roots (optional)	Defines the starting points for searching user accounts in the target system. These are distinguished names (DNs) specifying where the search for users should begin.List of distinguished names to use as search roots when searching user in the target AD by looking at the attribute specified in Target Search Identifier Attribute.The roots must be specified as valid LDAP paths, for example LDAP://CN=users,DC=acme,DC=org. If more than one root is needed, they must be separated by semicolon (;)Used in conjunction with Target Search Identifier Attribute.

Microsoft Entra ID provider

The Microsoft Entra ID provider is used to synchronize passwords to Microsoft Entra ID.

Parameters

Parameter	Description	Optional
Graph API Version	Version of the Microsoft Graph API	Yes
Client ID	Application (client) ID	No
Tenant ID	Directory (tenant) ID	No
Provider Password	Client Secret value	No

Configuring an app in Microsoft Entra ID

Login to https://entra.microsoft.com/
Click on Microsoft Entra ID. This should bring you to your org's directory.
Click on App Registrations.
Click on New registration.
Enter a name for the app in the Name field.
Using the radio buttons, select the supported account type (Single Tenant or Multitenant)
Click on Register. In the following app summary screen, under the Essentials section, make a note (copy) of the Application (client) ID and the Directory (tenant) ID. These will be used when configuring the Sync Point
In the left navigation of the app summary screen, click Certificates & Secrets.
Click on New client secret. Enter a description and set an expiry period using the Expiry dropdown, then click Add.
Copy and store the secret in the Value column for the password. This will also be used for configuring the Sync Point.

Note

Note that this value needs to be pasted in the Provider password field in the Sync Point configuration.
In the Microsoft Entra ID admin center's (left-most) left navigation, click on Microsoft Entra ID, then click on Roles and administrators.
In the list, click on a role that will be sufficient for resetting passwords.

Note

For an overview of roles and their permissions, please go to Working with users in Microsoft Graph. Note that the minimum required role for resetting passwords is the Password Administrator role.
Click on Add assignments at the top. The Add Assignments sidebar will open on the right.
In the search box, enter the registered app name, click on the app in the search result list, then click Add at the bottom.

Next steps

Having noted and saved the Application (client) ID, Directory (tenant) ID, and the Value for the secret, create a new Sync Point with the Microsoft Entra ID Provider. More information creating Sync Points can be found in the Administration page.

Domino provider (Notes Client)

The Domino provider is used to synchronize passwords to the Domain Internet Password.

Prerequisites

Notes client release 5.0.2b or later installed on the Sync Server.
Admin credentials present in the Notes client.
Open network communication from the Specops Password Sync Server to the Domino server.

Parameters

Parameter	Description
Address to the Domino Server	The FQDN of the Domino server.
User database	The database that contains the users. Default value: names.nsf
Database view	The view in the database which contains the users. Default value: ($VIMPeople)
Name column	The name of the column in the view that contains the users. Default value: Name

Email Notification Provider

The email notification provider is used to trigger a customized email to be sent when the password of a user is changed. This can be used for a wide range of purposes, one of which being an SMS being sent to the mobile device of the user to remind them that they should change their Active Sync password on the device to match the new Active Directory password.

Prerequisites

An email server must be available to send mail from the service account used on the Sync Server.

Parameters

Parameter	Description
SMTP Server Name	The FQDN of the SMTP server to use when sending email.
Port	The Port number on the SMTP server. Default value: 25
From	The email address the email should be sent from. Supports placeholders.
To	The email address the email should be sent to. Supports placeholders.
Subject	The subject of the email. Supports placeholders.
Body	The body text of the email. Supports placeholders.

Placeholders

The email fields in the Email Notification provider also supports using placeholders to customize the email content. The placeholders can be used multiple times in the same field if necessary.

Placeholder	Description
%User.%	Retrieves values from attributes on the user object of the user who triggered the password change.
%Password%	Used to include the new password in the email sent by the provider. Note: You should only use this placeholder after verifying that the resulting action is compatible with the information security policy of your organization.

Google Apps provider

The Google apps provider is used to synchronize passwords with Google Apps.

Prerequisites

Access to Google Workspace
Internet access on the Specops Password Sync Server.

You will need to complete the below tasks as a part of the prerequisites:

Creating a Google apps service account

Go to console.cloud.google.com
Select your organization (top menu) and create a new project in your organization
Give the project a name, check that the organization is set correctly, then click Create
Go to the project you just created by clicking the You're working in link and selecting the project you just created
In the hamburger menu on the left go to API & Services, then go to Credentials in the left navigation
Click Create Credentials and select Service Account
Give the service account a name and a description, then click Create & Continue
Click Done
In the Service Account section, select the service account
Write down or save the Unique ID for the service account
Click Advanced settings
At the bottom of the page, click Configure OAuth consent screen
Select the Internal radio button under User type
Click Create
Enter a user support email address and developer email address
Click Save and contine
In Scopes, click Add or remove scopes
In the Manually add scopes textbox, add the following scopes:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.user.readonly
Click Add to table, then click Update
Click Save and continue, then go back to Credentials and select the service account
Select Keys and click the Add Key dropdown and select Create new key
Select the P12 radio button, then click Create
In the confirmation window, make a note of the private key password. Your Certificate should be automatically downloaded.
Click Close
Go to API & Services in the left navigation
Select Enabled API & Services
In the search field, search for Admin SDK API
Click on Admin SDK API in the search results, and click Enable
Go to Credentials in the left navigation and access the Permissions tab. Make sure that the Grant Access button is available

Delegating the service account

Go to admin.google.com
In the left navigation, select Security, then Access and Data control, then API Controls
Make sure the Trust internal domain-owned apps checkbox is checked
Click Manage Third Party App Access
Click the Add App dropdown and select Oath App or Client ID
In the search field, enter the Unique ID for your service account (saved in step 10 above), then click Search
Click Select for your service account
Check the checkboxes for the Client ID
Click Select
Under App Access select Trusted Can access all Google services
Click Configure
In the left navigation go to API controls
Click Manage domain wide delegation
Click Add New
In the Client ID field, enter the Unique ID for your service account
In the OAuth field, add the following entries, separated by a comma:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.user.readonly
Click Authorize

Importing the certificate on all Sync Servers running the Google App Sync Point

Run MMC.exe.
Select File and click Add/Remove Snap-in…
Select Certificates from the available snap-ins, and click Add.
Select Computer account in the Certificates snap-in dialog box, and click
Ensure that Local computer is selected, and click Finish.
In the Console Root window’s left pane, expand Certificates.
Right-click Personal, select All Tasks, and click Import.
Follow the on-screen instructions in the Certificate Import Wizard, and click Finish when complete.
- Note: In the Import options, ensure that the Mark this key as exportable is checked.
In the Console Root window’s left pane, expand Certificates.
Expand Personal, and click Certificates.
In the list of certificates, locate and double click the newly created certificate.
In the Certificate dialog box, click the Details
Scroll through the list of fields, and click Thumbprint.
Copy the hexadecimal characters from the box.

Configuring the Sync Point

Open the Specops Password Sync Administration Tools.
Click Sync Points.
Select the Google App provider and click Edit.

Note

The Google App provider will only appear if the Sync point already exists.
Click Select and Configure Provider.
Configure the following parameters and click OK.

Parameter	Description
Administrator Account Email	The login account that will be used to perform the password change in your Google Apps domain.
Certificate thumbprint	Certificate thumbprint for the certificate generated by Google.
Service account email address	The email address of the Google apps service account ending in @developer.gservice.com

IBM Connections

The IBM Connections provider is used to synchronize passwords to IBM Connections.

Prerequisites

IBM Connections account with Administrator or Admin Assistant roles.

Parameters

Parameter	Description
Administration account	The email address associated with the IBM Connections account.
URL	The URL to the IBM Connections API. ex: `https://apps.na.collabserv.com/api/bss`
Provider Password	The password associated with the administration account
Repeat Password	The password associated with the administration account

Kerberos provider

The Kerberos provider is used to synchronize passwords to Kerberos based systems.

Note

When performing an Active Directory to Active Directory sync, please refer to the AD to AD sync page to determine which sync provider is most suited.

Prerequisites

Admin account with permissions to reset passwords in the Kerberos realm of the target users.
Open network communication from the Specops Password Sync Server to the Kerberos server.

Parameters

Parameter	Description
Target Realm	The Kerberos realm where the target account exists.
KDC Address	The address of the Kerberos KDC to contact. This field is optional.
Admin Realm	The Kerberos realm where the administrator account exists.
Admin User Name	The user name of the admin account.
Provider Password	The password of the admin account.

LDAP Provider

The LDAP provider is used to synchronize passwords to remote LDAP systems, such as OpenLdap or Microsoft Active Directory Lightweight Services (AD LDS). If the target server is a full Microsoft Active Directory, the Active Directory provider should be used.

This is because the full Active Directory provider supports multiple domain controllers and also supports unlocking accounts if they are locked on the remote domain. It’s also still fully encrypted.

Note

When performing an Active Directory to Active Directory sync, please refer to the AD to AD sync page to determine which sync provider is most suited.

Prerequisites

Admin account in the remote system.
Open network communication between the Sync Server and the remote server. This typically means that one the following two ports must be open:
- tcp/389 (non-SSL-encrypted LDAP)
- tcp/636 (SSL-encrypted LDAP)

Parameters

Parameter	Description
Server name	The name of the remote LDAP server.
Port number	The port number to use when contacting the remote LDAP server. Default port: 636
Authentication Type	Can be set to either of the following: - Basic: Uses basic authentication with username/password. Should be used for testing only. - BasicSsl: Uses basic authentication with username/password over SSL. This can be used in production against an OpenLDAP server. In order to use this authentication type, you need to configure the server’s certificate used, so that the sync point knows that it’s a trusted server. - Negotiate: Uses the best algorithm that encrypts and verifies integrity of the password changes to the LDAP server. This is used if the LDAP server is Kerberos trusted with the Sync Server in use.
Valid Certificate Thumbprint	The server certificate’s thumbprint. Leaving this field empty means that any certificate will be accepted (not recommended). To determine the server certificate thumbprint, type “xyz” as “Valid Server Certificate Thumbprint” and attempt one reset. The error message in the test tool (or the app event log) will contain the thumbprint. The The thumbprint is a hex string and may or may not contain “:” separators in between. Note: This setting is only applicable for Basic Ssl authentication.
Attribute Name	The name of the user attribute in the LDAP system where the password is stored. This parameter is used in conjunction with “Convert to Unicode.” Default value: unicodePwd.
Password Format	Determines how the password sent to the target system should be encoded. Possible values: - QuotedUnicode (Adds quotes to the password, then sends Unicode bytes to the target system. This should be used when syncing to another Microsoft Active Directory.) - Unicode (Sends Unicode bytes to the target system.) - Utf8 (Sends Utf8 bytes to the target system.)
Admin User Name	User name of the admin account in the LDAP system. The user name should be in distinguished name format (CN=admin, DC=example, DC=com).
Provider Password	The password of the admin account.
Target Search Identifier Attribute	By default, an absolute LDAP path is provided provided to identify the target account. If the source system lacks information about the LDAP path, it is possible to search for the target account by matching an attribute instead. This setting specifies the name of the attribute to compare with for such a search. Name of the attribute to match in the target system. This attribute on users in the target system, must contain a unique identifier in that directory, e.g. a social security number or an employee number. That attribute in the target system will be compared with what has been configured in the Name Mapping. WARNING! It is critically important that the attributes configured in "Name mapping settings" for the source system and the "Target Search Identifier Attribute" for the target system aren't writable by users. That would compromise security and possibly enable resetting another user's password and gain access to that account. Used in conjunction with Target Search Roots. Note that if the identifier in the source system is a distinguished name in the target system, there is no need to configure Target Search Identifier Attribute or Target Search Roots, since the account in the target system is directly identifiable by that distinguished name.
Assume the target Directory is Active directory	Note! *This is only used if Target Search Identifier Attribute has been configured.* Set to true if the target is Microsoft Active Directory, otherwise false. Setting to true will enforce the LDAP query to include "(objectCategory=user)(objectCategory=person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=512)"
Additional condition in LDAP search	Note! *This is only used if Target Search Identifier Attribute has been configured.* If set, the value of this string will be AND-combined with the search for target attribute as an LDAP condition when searching for the target account. The schema depends on the LDAP target system, but could, for instance, exclude disabled accounts from the search or only search a specific department, e.g. "(&(enabled=true)(department=finance))".
Target Search Roots	List of distinguished names to use as search roots when searching user in the target system by looking at the attribute specified in Target Search Identifier Attribute. The roots must be specified as valid LDAP paths, for example LDAP://CN=users,DC=acme,DC=org. If more than one root is needed, they must be separated by semicolon (;) Used in conjunction with Target Search Identifier Attribute.

Note

Specops recommends using the Active Directory provider to synchronize passwords against remote Active Directories. If you need to use the LDAP provider against Active Directory, the Admin User Name should be specified in the SAM Account Name format instead of the DN of the admin account.

Sample Configurations

Open Ldap Non-SSL (not for production use)

If the target is an OpenLdap Server configured to use basic authentication (clear text), configure with:

Server name: DNS name of the LDAP server
Port number: Typically 389
Authentication Type: Basic
AttributeName: userPassword
Password Format: Utf8
Target system is Active Directory: false

Target user should be DN-formatted (use proper name mapping).

OpenLdap SSL

If target is an OpenLdap Server configured to use SSL, configure with:

Server name: DNS name of the LDAP server
Port number: Typically 636
Authentication Type: BasicSsl
Valid Certificate Thumbprint: Hex string of server certificate’s thumbprint (40 hex digits)

Note: It is not sufficient to use a trusted certificate. The server certificate’s thumbprint must be configured in the syncpoint.

AttributeName: UserPassword
Password Format: Utf8

Active Directory Lightweight Directory Services

If the target server is an Active Directory Lightweight Services Server, configure with:

Server: Name of a DC
Port number: Typically 389
Authentication Type: Negotiate
Attribute Name: UnicodePWD
Password Format: QuotedUnicode
Admin username: Administrator (flat-name without domain)

Note

Target user should be DN-formatted.

Local Accounts provider

The Local Accounts provider is used to reset passwords for local user accounts on a specific computer.

Prerequisites

Admin account for the target computer.
Open network communication from the Specops Password Sync server to the target computer.

Parameters

Parameter	Description
Administrator Account	The user name of the admin account.
Computer Name	The name of the target computer
Provider Password	The password of the admin account.

Microsoft Online Services provider [Obsolete]

Note

The Microsoft Online Services provider is obsolete. For backwards compatibility, please use the Microsoft Entra ID provider.

The Microsoft Online Services provider is used to synchronize passwords to Microsoft Online Services, such as Office 365.

Prerequisites

The following Microsoft Online Services components must be installed on the Specops Password Sync Server:
- Microsoft Entra PowerShell for Graph.
Internet access on the Specops Password Sync Server.

Parameters

Parameter	Description
Administrator Account	The user name of the admin account.
Provider Password	The password of the admin account.

Microsoft SQL Server provider

The Microsoft SQL Server provider is used to synchronize passwords to MS SQL server users.

Prerequisites

SQL Server authenticated admin account (Windows authentication is not supported).
SQL Server user accounts (accounts stored within custom databases are not supported).
Open network communication between the Specops Password Sync Server and the target MS SQL server.
SQL Server Management Studio Tools installed on the Sync server.

Parameters

Parameter	Description
SQL Server	The name of the target MS SQL Server.
Admin User Name	The user name of the admin account.
Provider Password	The password of the admin account.

Oracle Database provider

The Oracle Database provider is used to synchronize passwords to Oracle database users.

Prerequisites

The provider is designed for Oracle 11g, but may work on other versions as well.
Oracle admin account.
Oracle authenticated users

Note

Accounts stored within custom databases are not supported.
Oracle Data Provider for .NET 4 must be installed on the Specops Password Sync Server.

Parameter

Description

Database Server

This is the format of the data source:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)))You will need to change the value of the highlighted items above to the value of thetnsnames.ora file. You can find this file in the ORACLE HOME\NETWORK\ADMINdirectory.
The following is a sample of the tnsnames.ora file:ORACLR_CONNECTION_DATA =(DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)))(CONNECT_DATA =(SID = CLRExtProc)

(PRESENTATION = RO)

)

ORCL =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = SRV04.shrek.qa)(PORT = 1521))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = orcl.shrek.qa)

)

The data source should look like this after you have added the corresponding values from the tnsnames.ora file.

(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=

SRV04.shrek.qa)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=

orcl.shrek.qa)))

Admin User Name

The user name of the admin account.

Provider Password

The password of the admin account.

Salesforce provider

The Salesforce provider is used to synchronize passwords to Salesforce.

Prerequisites

Admin account in the target Salesforce.
Valid Salesforce security token for the admin account. The security token for the admin account should have been emailed to you when you set up your Salesforce account or the last time you reset your password. If you are unable to find this email, you will need to reset the token.

To get or reset your security token:

At the top of any Salesforce page, click the down arrow next to your name. From the menu under your name, select Setup or My Settings—whichever one appears.
From the left pane, select one of the following:
- If you clicked Setup, select My Personal Information| Reset My Security Token.
- If you clicked My Settings, select Personal| Reset My Security Token.
Click the Reset Security Token The new security token is sent via email to the email address on your Salesforce user record. Keep this email. Your security token is not displayed in your settings or profile.

Note

This token is changed every time the password of the admin account is changed.

Parameters

Parameter	Description
URL	The URL to the Salesforce.com API. Default value: `https://login.salesforce.com/services/Soap/c/23.0`
Admin User Name	The user name of the admin account.
Provider Password	The password and security token. Ex. For example, if your password is “myPassword” and your security token is “XXXX”, you will enter “myPasswordXXXX”

SAP provider

The SAP provider is used to synchronize passwords to user accounts in SAP systems.

Prerequisites

Admin account in the target SAP environment.
SAP .Net Connector 3.0 for .Net 4.0 must be installed on the Specops Password Sync Server.

Note

If SAP does not show up in the list of available sync providers when setting up the scope, copy the following .dll files from the SAP.NetConnector program directory (e.g. C:\Program Files\SAP\SAP_DotNetConnector3_Net40_x64) to C:\Program Files\Specopssoft\Specops Password Sync\Server\Providers\SAP on the sync server, and then restart the service. Files to be copied:

libicudecnumber.dll
rscp4n.dll
sapnco.dll
sapnco_utils.dll

Note:

The SAP.Net Connector has a dependency to the Visual C++ 2010 redistributable which the SAP installer does not handle. If this component was not installed as part of another package, the provider will fail with the following error message: “Could not load file or assembly ‘sapnco_utils.dll’ or one of its dependencies. The specified module could not be found.”
Installing KB2365063- Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update will fix the problem.

Parameters

Parameter	Description
Address to the SAP server	FQDN to the SAP server where the password should be changed.
System ID	The system ID in SAP (e.g. 00)
Client ID	The client ID in SAP (e.g. 100)
Admin User Name	The user name of the admin account
Provider Password	The password of the admin account

Windows Service provider

The Windows Service provider is used to update the password used in a Windows Service when the password of the domain service account is changed. The provider will find all services running as the domain account on the target server and set the new password on them.

Prerequisites

Admin account on the target server.
Open network communication between the Specops Password Sync Server and the target server.

Parameters

Parameter	Description
Administrator Account	The user name of the admin account that will be used to change the password on the remote server.
Server Name	The name of the target server where the service is running.
Provider Password	The password of the admin account.