Synchronizing Passwords

Passly (AuthAnvil) > Password Server > Vaults > (vault type) > (vault) > (password) > Synchronization tab

The Synchronization tab configures a selected sync agent with a password.

1. Install a sync agent on a target machine if you have not already done so.
2. Add or edit the password for the target machine you wish to synchronize.
3. Click the Synchronization tab.
4. Click Enable Synchronization. Fields on this page display if at least one sync agent is installed.
   • Automatically generate a new random password and change it when it expires
   • Sync Agent - Select a sync agent. If this is a Windows password, select a sync agent on the same network or domain. For web passwords, make sure the sync agent has internet access.
   • Add another link in this sync chain that will be updated when this password changes - You can add additional items to sync as a part of sync chain. The Default Sync link is always the first password in a sync chain, and represents the synchronization against the target specified in the General Settings tab.

Sync Chains

Sync chains allow a user to define a series of passwords that need to be kept in sync. A common example is when you change a password for an administrative user account. If that user account has scheduled tasks that run using its credentials, the stored credentials used by the scheduled task must also be updated when the password is synchronized. That's where sync chains come in.

To set up a sync chain, you enable synchronization for a password and choose a sync agent to synchronize against. You can then add links to the sync chain. The Default Sync link is always the first password in a sync chain, and represents the synchronization against the target specified in the General Settings tab. Other links are processed in order and represent various local passwords, domain passwords, remote passwords, task passwords and service passwords. Depending on the link, you will have to specify the relevant information, such as the username of the user to synchronize and machine, domain, device, or task-specific information.

For example, in a computer lab where each machine is domain joined, you may want to synchronize all of the local administrator accounts to a single password. This is the perfect scenario for a sync chain. You would install a sync agent on one of the machines in the lab and set up a Standalone Windows Password for the local Administrator account on that machine. Then, in the sync chain, you would set up a Remote Password link for each machine in the lab, specifying the machine name and the username to synchronize. The vault will test to make sure that the passwords are initially in sync, and then synchronize all of them against the same password each time it changes in the vault.

Note: Remote Windows Passwords, Task Passwords, and Service Passwords require a linked credential be configured for the sync agent.

Sync States

Every password has a status to let users know how the password is being synchronized. This tells the user whether the password is synced or not, if it can be synced, or if it is in the process of being synced. A sync state can be found under the Sync Status column for a password. Here is a list of sync states and their meanings:

• Not Synced – A password that has not been configured for synchronization.
• Pending Sync – A sync agent is in the process of either testing the password or changing it to a new value.
• In Sync – The current password is synchronized and tested against the target login.
• Out of Sync – The current password was unable to be validated, or did not log in correctly.
• Unsyncable – The Web Workflow on this password has no validation steps, so it cannot be verified as the proper password. Launch permissions can still be configured for Single Sign On access to this application.
• Change not Configured – This web password was changed, but there are no workflow steps to update this password on the website. It will have to be manually updated on the website, then you can retry the sync.

Out of Sync Passwords

Occasionally, a password gets out of sync with its vault. This can happen because of an incorrect password stored in Password Server, or a changed password on the Windows / website level, or a failed change due to a bad connection or password complexity. Password Server alerts vault owners with an email that the password needs an administrative override. When the vault owner logs in, they will see a task in their task list that a password sync has failed and that administrative override is required to force the sync.

You can see passwords Sync Issues in your task list on the Dashboard page. The vault owner must enter administrative credentials for the target machine, along with a new password for the account, and click the Approve button. This instructs Password Server to bring the password back into sync. Users can also click the Retest Sync button to send the sync instruction again. This is useful if the target machine was temporarily unavailable during the last synchronization attempt.