AD password synchronization

This functionality requires SafeNet Synchronization Agent version 3.5.1 (or later) and STA or SAS PCE. Active Directory (AD) password synchronization and authentication is available using the LDAP filtering attribute, located in the authentication console, in Comms > Authentication Processing > Pre-authentication Rules. Pre-authentication rules with the AD can be used in STA and SAS PCE only when AD password synchronization is enabled.

Users can authenticate into STA or SAS PCE using their AD (domain) password, without the requirement of a token or other password to be provisioned. Operators manage this functionality by synchronizing the users’ AD passwords into STA or SAS PCE, which allows users to temporarily authenticate with their AD password until they activate a token.

Note

The Windows server hosting SafeNet Synchronization Agent must be joined to the AD domain.

AD passwords are double-hashed and encrypted in all stages of transmission and storage between the AD, SafeNet Synchronization Agent, and in the STA or SAS PCE database.

For the parent (for example, root.com) to replicate the child user (for example, child.root.com) password hashes, it is recommended that you create an LDAP service account (for example, serviceldapsync@root.com) on the parent domain and configure the LDAP credentials on the LDAP service account.

MSCHAPv2 authentication protocol is not supported for LDAP/AD passwords.

Add replication permissions

After you configure groups for synchronization, add replication permissions to enable SafeNet Synchronization Agent to request user credentials from the AD.

1. From an administrator account on a Windows computer, log in to the Domain Controller.

2. Click Start > Active Directory Users and Computers.

3. Click View and enable Advanced Features.

4. In the Active Directory Users and Computers pane, right-click the domain name and then click Properties.

5. Click the Security tab.

6. Click Add and then click Object Types.

7. Verify that Computers is checked and then click OK.

8. Enter the SafeNet Synchronization Agent server host name and then click Check Names.

9. After the server hosting SafeNet Synchronization Agent is discovered, click OK.

10. In the Group or user names field, click the server host name.

11. In the Permissions for <server host name> field, select Allow for both Replicating Directory Changes and Replicating Directory Changes All.

12. Click Apply and then click OK.

    

    Note

    Repeat this procedure for each subdomain that contains users with synchronized passwords.

Enable synchronization

To enable SafeNet Synchronization Agent to synchronize user passwords between STA or SAS PCE and the AD, select Enable password synchronization, as described in Configure SafeNet Synchronization Agent for LDAP.

Note

To disable the use of AD passwords, clear the Enable password synchronization check box. After successful synchronization, the AD passwords are removed from STA or SAS PCE and they can no longer be used for authentication into STA or SAS PCE—the passwords will still appear as assigned, but they can no longer be used for authentication.

The AD password can be used as a token supplement. To do so in STA or SAS PCE, Assignment > Tokens > Assign, Accept LDAP/AD Password must be selected for the user.

The Accept LDAP/AD Password option will not be displayed in the STA Token Management or SAS PCE console until the Enable password synchronization feature is enabled in SafeNet Synchronization Agent and the passwords are synced to STA or SAS PCE.