SafeNet Synchronization Agent - Frequently Asked Questions
Here, you will get answers to frequently asked questions (FAQs) about SafeNet Synchronization Agent for use with STA. Answers to FAQs provide the most common information you need for using SafeNet Synchronization Agent.
SafeNet Synchronization Agent allows you to sync users in LDAP or SQL user groups to a STA user store. With SafeNet Synchronization Agent configured, LDAP or SQL user groups are monitored for membership changes and user information updates are automatically made in STA to reflect these changes.
Release | Feature |
---|---|
v3.5.1 | Ability to synchronize domain passwords to STA. |
v3.3.3 | Differential synchronization: Only “changed” user records (including additions and deletions) are synchronized, resulting in less network traffic and reduced sync time. |
Frequently Asked Questions
Nested Groups Synchronization
What is nested group support?
SafeNet Synchronization Agent has been enhanced to sync LDAP users within nested groups, where users may be members of a group that is a member of another group.
STA synchronizes all users in nested groups that are visible in LDAP. STA is not directly aware of trust relationships in Active Directory. For additional information, refer to the question: Can SafeNet Synchronization Agent sync multiple domains to STA using Active Directory Global Catalog?, in the General section.
What preparation is needed before upgrading SafeNet Synchronization Agent?
Before updating SafeNet Synchronization Agent, it is recommended to verify that LDAP groups configured for syncing do not contain nested groups with users you do not intend to sync. After upgrading, all users of nested groups will be synced automatically.
How can I enable auto-provisioning for users within nested groups?
Auto-provisioning can now be enabled for users in nested groups. This is controlled by a new Provisioning Policy in the POLICY > Automation Policies module. This is enabled by default for newly created accounts, and disabled by default for existing accounts. For additional information, refer to Apply provisioning rules to nested groups.
Domain Password Synchronization
What exactly is Domain Password Synchronization?
Domain password Synchronization is an optional feature that enables synchronizing user’s domain passwords to STA. STA can authenticate users based on a valid domain password instead of or together with OTP.
What are the requirements to use Domain Password Synchronization?
Requirements are: STA Cloud v3.5.1 (or later), STA PCE v.3.5.4 (or later), Sync Agent v3.5.1 (or later), and Active Directory use source. The machine running SafeNet Synchronization Agent must be part of the Active Directory domain, and must have “Replicating Directory Changes” and “Replicating Directory Changes All“ Active Directory permissions. For additional information, refer to Add replication permissions.
How can STA use synchronized domain passwords?
Users can authenticate into STA using their existing Active Directory password (their domain password), without the requirement of a token or other password to be provisioned. Operators manage this functionality by synchronizing the users’ Active Directory passwords into STA, which allows users to temporarily authenticate with their Active Directory password until a token is activated by the user. This functionality requires SafeNet Synchronization Agent version 3.5.1 (or later).
Additionally, in STA Cloud v3.5.1 (or later), or STA PCE v.3.5.4 (or later), Active Directory password synchronization and authentication is available through the use of the LDAP/AD Password Validation filtering attribute, located in COMMS > Authentication Processing > Pre-authentication Rules. Pre-authentication rules with LDAP/AD Password Validation can be used in STA only when Active Directory password synchronization is enabled.
Can STA validate password and OTP in a 2-step authentication process?
Pre-authentication rules allow conditional Challenge/Response type of authentication after AD password validation. This can be used to automatically trigger SMS Quicklog or GrIDsure authentication after the user enters their domain password.
How does Domain Password Synchronization work?
SafeNet Synchronization Agent obtains passwords directly from Active Directory through a separate connection. An LDAP connection to Active Directory continues to be used for all other user data that is synchronized. SafeNet Synchronization Agent sends domain passwords together with the other user data to STA.
Is Domain Password Synchronization secure?
Yes. Active Directory passwords are double-hashed and encrypted in all stages of transmission and storage between Active Directory, SafeNet Synchronization Agent, and in the STA database.
Additional information can be found in the SafeNet Authentication Service Security White Paper, which can be requested from Thales Customer Support.
How do I enable Domain Password Synchronization?
In SafeNet Synchronization Agent (version 3.5.1 or later), on the LDAP Schema window, select Enable password synchronization, and then enter the Active Directory Administrator Credentials.
How can I enable failover for retrieving domain passwords?
Failover configuration in SafeNet Synchronization Agent applies only to LDAP connections. Active Directory manages failover internally. It is recommended to configure only a primary LDAP host name in SafeNet Synchronization Agent to the Active Directory entry point, which supports failover. If Active Directory and DNS are not set up to handle failover, SafeNet Synchronization Agent will cancel and stop the synchronization process regardless of the existence of a secondary LDAP host.
Can I use Domain Password Synchronization with custom schemas?
Yes, with LDAP schemas that are Active Directory enabled, provided that the LDAP server is an Active Directory server.
Can passwords be obtained from other user sources than Active Directory?
Not with STA. Password synchronization is not available for generic LDAP or SQL user stores, and is only supported with Active Directory.
STA PCE/SPE offers direct integration with any LDAP user store, which enables the same authentication use cases in STA PCE/SPE as password synchronization does for STA cloud. In addition, password synchronization is available in STA PCE v.3.5.4 (or later).
Does Domain Password Synchronization affect synchronization performance?
SafeNet Synchronization Agent uses a separate direct connection to Active Directory for passwords, in addition to the LDAP connection used for the other user data. This can result in noticeably longer time overall for synchronization activity to complete, but the amount of additional data transmitted to STA is marginal.
In particular, the first sync after enabling password synchronization can take longer than expected, depending on the number of synced users.
Can I remove synchronized domain passwords from SAS?
Yes. To disable the use of Active Directory passwords, in SafeNet Synchronization Agent, on the LDAP Schema window simply de-select the Enable password synchronization check box. After successful synchronization, the Active Directory passwords are removed from STA, and they can no longer be used for authentication into STA. The passwords will still appear as assigned, but they can no longer be used for authentication.
A user’s account got locked out. How can I unlock the domain password?
If the domain password was assigned to the user, STA operators can manually unlock it in the user’s token list like other tokens. However, operators cannot manually unlock domain passwords that were not assigned but used in preauthentication rules. Domain passwords will be automatically unlocked after the account lock duration, like other tokens.
Does Domain Password Synchronization support password expiration?
SafeNet Synchronization Agent does not sync password renewal requests or expiration. STA treats the password as a cached credential, which can be used until it is updated in Active Directory and synced to STA. If the account gets locked in Active Directory, STA will fail authentication attempts.
Does Domain Password Synchronization work with STA PCE/SPE?
Yes, in STA PCE v.3.5.4 (or later). In addition, STA PCE/SPE supports direct LDAP integration for password validation. Direct LDAP password validation can be used in STA in the same way as Active Directory password synchronization (that is, for assigned passwords and pre-authentication rules).
How does Active Directory password validation in STA differ from Direct LDAP password validation in STA PCE/SPE?
For synchronized passwords, STA validates the user’s passcode against the synchronized Active Directory password. More precisely, a secure representation of the password is compared, not the password itself. STA PCE/SPE direct LDAP integration requests the LDAP server to validate the user’s passcode against the LDAP password.
Differential Synchronization
What exactly is “differential synchronization”?
In earlier versions of STA (up to v3.3.2), a full sync of all user records was performed for each and every sync event. With differential synchronization, only “changed” user records, including additions and deletions, are synchronized since the last successful sync, resulting in less network traffic and reduced sync time. This also reduces system load, helping to increase the reliability of sync services.
User records are sent in “batches” to the STA User Store. With differential synchronization, the initial sync may take longer to complete as it builds up its local information store, but subsequent syncs typically complete much faster.
Differential syncing occurs in parallel with scanning the User Store. This means that new users can typically start using authentication before all users are synchronized. If the agent cannot connect to the server, the sync is retried with the next User Store scan.
What are the benefits of differential synchronization?
As mentioned previously, only “changed” user records, including additions and deletions, are synchronized since the last successful sync, resulting in less network traffic and reduced sync time. Reduced system load also increases the reliability of sync services. Refer to the next question for additional benefit information.
Does differential synchronization allow 20-minute frequency, and does stopping and starting service trigger synchronization again?
STA Cloud and STA PCE/SPE v3.4 and later limit syncing to once every 60 minutes with older versions of SafeNet Synchronization Agent that don’t use differential synchronization. Agent versions 3.3.3 and newer recognize the Scan Interval setting, and restarting the sync service in the agent initiates scanning and synchronization.
What changes have been made to the Sync History Report?
In support of differential synchronization, the User’s Total column heading has been changed to Processed Users and the Group’s Total column heading has been changed to Processed Groups. The Processed Groups column displays the number of changed groups that were processed during the sync batch. The Processed Users column displays only the number of users in this batch sent to be synced since the last successful sync. Each batch contains up to 40 users or groups.
The Sync History Report is viewed by navigating to COMMS > Authentication Processing > LDAP Sync Agent Hosts and clicking View Sync History. User changes appear in the report incrementally as they occur.
Do I have to upgrade SafeNet Synchronization Agent in order to continue using STA?
Earlier versions of SafeNet Synchronization Agent will continue to work with STA. It is recommended to update the agent in order to enjoy the benefits of differential synchronization. It is also recommended as a best practice to run the latest version of the agent.
Can different versions of SafeNet Synchronization Agent be configured against the same LDAP server and authentication virtual server?
This is not supported. Mixing newer agents that use differential synchronization with older agents that don’t negates the benefits of differential synchronization. All older agent versions should be upgraded to the latest version, as described in previous answer.
What is the upgrade path for STA PCE/SPE?
The STA server should be upgraded first to v3.4 (or later). Existing SafeNet Synchronization Agents will continue to work but the scan interval is limited now to once every 60 minutes (instead of every 20 minutes), even if the agent is manually stopped and restarted.
It is recommended to upgrade the SafeNet Synchronization Agent to at least v3.5.1 (or later) in order to obtain the benefits of differential synchronization and regain a scan interval of every 20 minutes. Restarting the sync service in the agent will initiate scanning and synchronization.
How can I test differential synchronization before placing it into use?
Testing should normally not be necessary since differential synchronization does not change scanning or what is synchronized. Testing the latest agent version is possible with a separate virtual subscriber that can be created under Service Provider accounts. It is not possible to use full sync agents (up to v3.3.2) and differential sync agents (v3.3.3 or later) together in the same virtual subscriber.
Can I revert to not using differential synchronization?
Differential synchronization does not introduce new functionality and results in the same user data in STA. In case of unforeseen issues, it is possible to revert to the last agent version (3.03.20178) that does not use differential synchronization.
Stop all agents, except one. Launch the installer for version 3.03.20178 to upgrade this agent (which can still be running), and start the service. Continue upgrading additional agents.
General
I am running SafeNet Synchronization Agent v3.3.3 or v3.4.x. Should I upgrade to v3.5.1 or later?
Yes, it is generally recommended as a best practice to run the latest version of the agent.
What is the upgrade procedure for SafeNet Synchronization Agent?
Launch the installer to upgrade the agent. It is not necessary to stop the service or uninstall the agent.
How do I upgrade multiple redundant agents?
STA supports syncing a Virtual Server through multiple agents that are configured with the same groups and attribute mappings. All agents must be upgraded at the same time. To upgrade, stop all agents except one. Upgrade this agent (which can still be running) and start, upgrade another agent and start, until all agents have been upgraded.
Can the latest SafeNet Synchronization Agent version be used with earlier versions of STA PCE/SPE?
No. SafeNet Synchronization Agent v3.4 (or later) is only supported with STA v3.4 or later. SafeNet Synchronization Agent v3.03.20178 can still be used with STA PCE/SPE v3.3.2.
Can SafeNet Synchronization Agent sync multiple domains to STA using Active Directory Global Catalog?
Yes. Although SafeNet Synchronization Agent does not directly support Active Directory (except for domain passwords), it can be configured to sync with a Global Catalog for LDAP searches. To enable this functionality in SafeNet Synchronization Agent, you must set the Port field on the User Source Configuration window to 3268, which is the port to which Global Catalog queries are directed.
In addition to the above configuration changes, note the following steps that may need to be performed:
- The selected Sync Groups must be set as “universal” groups.
- In SAS, under Authentication Processing > LDAP Sync Agent Settings, it is recommended to enable the Use Delayed Sync Removal option.
- In SafeNet Synchronization Agent, under User Source Configuration, select Manually edit searched containers, and then add the containers from the sub-domains.
- In order for SafeNet Synchronization Agent to scan and sync Global Catalog groups to SAS, you must bind to DC=
,DC= to search over all sub-domains. Then, you will need to do one of the following: – In SafeNet Synchronization Agent, under User Source Configuration, select Manually edit searched containers, and then add the containers from the sub-domains. – If the above procedure does not produce the intended results (all domain groups are not displayed), enter a NULL value (" ") for Manually edit searched Containers to instruct the Agent to search the entire Active Directory tree.
The Microsoft TechNet article entitled Global Catalog and LDAP Searches provides additional information and can be found at the following link: http://technet.microsoft.com/en-us/library/cc978012.aspx
Recommended Best Practices
- Deployment of a single SafeNet Synchronization Agent ensures reliable synchronization and is recommended for most organizations. Deployment of two agents is recommended to meet redundancy or resiliency requirements. Each agent must be identically configured except that they may point to different LDAP servers (of the same directory), which is recommended for better resiliency towards LDAP.
- It is recommended to run the latest version of the agent.
- A high availability configuration with multiple SafeNet Synchronization Agents ensures there is no single point of failure. Configuration should include:
- Identically configured sync agents with the same group configuration and schema.
- The content of the LDAP server(s) the sync agents are pointed to is identical.
If agent configurations are not synchronized or the contents of the LDAP directory servers differs, SafeNet Synchronization Agents will work against each other, as all agents are active. Active/Passive configuration is not available.
Advisory Notes
Managing Synchronized User Account Updates
When synchronizing users from LDAP to SAS, a recovery mechanism called Delayed Sync Removal is enabled in STA by default that provides a 24-hour window during which user accounts flagged for deletion can be restored. Conversely, if this option is disabled, accounts deleted in the LDAP directory are removed immediately and permanently from the STA user database upon synchronization, along with all user/token associations.
The Delayed Sync Removal function provides a “safety net” that protects against accidental or erroneous deletions, and saves the time and effort of re-establishing valid user accounts. The deleted user accounts will be marked as “disabled” during the 24-hour period, and these users will not be able to authenticate. However, Operators will have the ability to either re-enable the account or expedite the deletion manually if they are certain the removal is valid.
When used in conjunction with the delayed removal option, enabling sync notifications provides the opportunity to review synchronization activities and determine the validity of user account changes and deletions.
Implementing this functionality consists of the following steps:
Enable Delayed Sync Removal
The Use Delayed Sync Removal option in STA delays the removal of synchronized LDAP user accounts flagged for deletion from the STA Virtual Server for 24 hours. Combined with LDAP Sync Notification, if a sync event is detected, the Virtual Server will send an alert to Operators indicating that all detected changes will occur in 24 hours unless they intervene.
This option is enabled by default; however, if this option has been disabled, the following steps describe how to re-enable the function.
-
In the STA Token Management console, click Virtual Servers > Comms > Authentication Processing > LDAP Sync Agent Settings.
-
Enable the Use Delayed Sync Removal option.
-
Click Apply.
Enable Sync Notifications
Enable LDAP Sync Notification in STA
Notification is enabled individually for each Operator group in the Role Management module. Enabling this function in STA will generate an email to Operators specifically related to user account actions, such as additions and deletions, which occurred during synchronization.
- In the STA Token Management console, click Virtual Servers > Policy > Role Management.
- Click Alert Management.
- Click the Edit link for the Operator role.
-
Under Alert Settings, in the Email column, enable the LDAP Sync Notification option.
-
Click Apply.
Synchronization Failures
In the event that user synchronization fails, the sync alert will list all affected users and the error that caused the failure. This will allow the Operator to correct the user data in the user source. Currently, the possible errors are shown below.
Error Message | Reason |
---|---|
Operator's email address conflicts with an already existing email. | An operator being synced has had their email address property changed to an existing (non-unique) operator email. |
The failure information is included in the default template for the sync alert. If the alert has been customized, the failure information can be added by manually inserting the following text into the alert template after the <removeList /> section:
The following <totalProblemUsers /> users have properties that prevented a successful sync:
<problemUserList />:
Notification Email Example
The following is an example of the LDAP Sync Notification email that will be sent to all Operators when used in conjunction with the Delayed Sync Removal option.
Enable LDAP Sync Notification in SafeNet Synchronization Agent
SafeNet Synchronization Agent can be configured to send email alerts if it is unable to connect to SAS, or to the LDAP directory server or SQL server. An email alert can also be sent if an expected group is not found. The text can be customized for each alert.
Email alerts can only be configured if the service is stopped.
- In SafeNet Synchronization Agent, click the Notification tab.
-
Under SMTP Configuration, click Configure.
-
The SMTP Configuration window is displayed. These settings define the mail server (SMTP) used by the STA server to send out notifications to the operator/administrator who manages the Virtual Server, and provides LDAP sync process notifications (for example, failed or succeeded).
Field Description From e-mail address Enter the email address from which notifications are sent. Hostname/IP Address Enter the IP address or host name of the SMTP server (mail server) used for sending out notifications. Port Enter the port used by the specific mail server to send and receive emails. Username (if required) / Password (if required) If credentials are required to log on to the SMTP server, enter the username and password ofthe account from which the notifications are sent. -
Click OK.
-
Under E-mail Test, in the Enter e-mail Address field, enter a recipient email address. Click Test to test the SMTP configuration.
-
To customize the email alerts that are sent, under E-mail Message Templates, click Customize.
-
On the Email Templates window, enter the following information, and then click OK.
Field Description Message Select the message type:
- LDAP Connection Issues
- User Source Server Connection Issues
- Sync Server Connection Issues
- Missing GroupSubject Modify as required. Body Modify as required. -
Under Event Recipient Lists, click Add to add an email address to which alerts are sent.
-
On the Mailing List window, enter the following information:
Field Description List Name Enter a name for the email list. Recipient E-mail For each address to be added to the Recipient E-mail List, enter an email address into the Recipient E-mail field, and then click Add. Recipient E-mail List E-mail addresses that have been added using the Recipient E-mail field. Events Select the appropriate events for which the recipient will receive an alert. -
Click OK. The List Name displays in the Event Recipient Lists box.
Minimal DN Scope for LDAP Scanning
To ensure optimal synchronization performance, it is advised to limit LDAP scanning to Distinguished Names (DN) that encompass all sync groups. With an overly broad scanning scope for very large LDAP Directories, LDAP scanning may not always report all users to SafeNet Synchronization Agent, which can lead to users being marked in STA for delayed removal, and then deleted after 24 hours.
Note that SafeNet Synchronization Agent will not allow modifications to be made to the DN scope for Active Directory if the default settings are used. Search containers cannot be specified if the LDAP user source is Active Directory checkbox is selected. This option allows SafeNet Synchronization Agent to determine if the custom schema is for an Active Directory (AD) implementation of LDAP. If this option is enabled, the agent will always target all LDAP queries against the Base DN and use Active Directory optimized search queries.
In addition, it is recommended to keep the Use Delayed Sync Removal feature enabled in the STA Token Management console under COMMS > Authentication Processing > LDAP Sync Agent Settings.
Synchronizing Users and Groups with Multiple LDAP or SQL User Stores
A single Virtual Server can synchronize only to a single User Store. Note that this is currently not enforced. It is strongly advised to verify that all agents are configured for exactly the same groups and attributes; otherwise, synchronization conflicts and inconsistencies can arise. Differing synchronization configurations for the same Virtual Server are not supported.