Patrick-Dussault

Tech Tip : CA Single Sign-On : Password sync agent 

Discussion created by Patrick-Dussault Employee on Jun 26, 2018
Latest reply on Jun 29, 2018 by Welington.Strutz.82300703

Question:

 

I have a query about password sync agent for IM.

Can I enable the Password Sync Agent for multiple END point ( Active
Directory ) ?

When I do the configuration it will ask me for END point. And there
is not option to select the multiple end points.

Suppose I have 3 domain controllers, do I need to deploy the password
sync agent on all three of them ?

 

Answer:

 

The documentation here specifies only 1 Endpoint to be configured :

Synchronizing Passwords on Endpoints

"If you have the Password Sync Agent installed on a managed
endpoint, you need to manually enable the checkbox on the Endpoint
object to indicates that the Password Sync Agent is installed."

https://docops.ca.com/ca-identity-manager/14-2/EN/administrating/password-management/synchronizing-passwords-on-endpoints

According to the following Knowledge Document, you should configure
the agent password sync on each end point :

How does the mechanism for password capturing an endpoint password
change and propagate it to global user, corporate user and other
accounts work.

"You will need to install a Password Synchronization Agent ( aka PSync
Agent ) on your endpoint. The PSync Agent is specific to each endpoint
and is intercepting passwords changed on the endpoint. "

https://comm.support.ca.com/kb/how-does-the-mechanism-for-password-capturing-an-endpoint-password-change-and-propagate-it-to-global-user-corporate-user-and-other-accounts-work/kb00005028010:29:09

Further, according to this next knowledge document, you should set the
password sync agent on all domain controllers where password are
allowed to be set / reset.

Which Domain Controllers should I install Password Sync Agents on?

"Password Sync Agents are required to be installed only on DCs where
passwords are allowed to be set/reset."

[...]

"you really do not need to install the Password Sync Agent software
on any domain controller that isn't allowing direct password resets."

https://comm.support.ca.com/kb/which-domain-controllers-should-i-install-password-sync-agents-on/kb000050277


KB : KB000103383

Outcomes