Skip to main content
CallTower Solutions Center

Password Sync Installation

  1. Last updated
  2. Save as PDF

Password Sync is a tool to synchronize your local Active Directory (AD) passwords to our products and applications such as Connect, Skype for Business, Jabber and Office 365. Password sync is a one direction push software. It is not a single-sign-on solution nor does it incorporate federation. Password Sync only captures password changes; it does not capture existing passwords or sync other AD attributes.

Prerequisites:

  • Every Domain Controller in the users’ domain needs to have the Password Sync agent installed. Read Only Domain Controllers (RODCs) do not need the agent installed.
  • .NET Framework 4.5 on the domain controllers.
  • Domain Controllers need to have outbound access to https://pws.ct450.com:8991
  • Windows 2003 Domain Controllers need to have Windows Imaging Component (WIC) installed.

a. 32-bit WIC http://go.microsoft.com/fwlink/?LinkID=162643

b. 64-bit WIC http://go.microsoft.com/fwlink/?LinkID=162644

  • Download the Simply Sync Password software

a. 32-bit Installer: PWSyncClientInstaller32.msi

b. 64-bit Installer: PWSyncClientInstaller64.msi

c. Server Core Installer: PWSyncClientCoreInstaller64(3.7).msi

For steps to install on Server Core, click here

  • If TLS 1.2 is required, follow additional steps below after the installation.
  • Obtain the Client License Key from your Account Executive.
  • NOTE: Domain Controllers with a Server Core only install require a different installation procedure, please contact your Implementation Manager or Account Executive.

Installation Steps:

  1. Log on to the domain controller as a domain admin.
  2. Install Simply Sync Password client.

Note: Do not restart if prompted

  1. Launch PWSync Client Configuration from the Start Menu.

Note: If using Windows 2008 or higher, right-click it and Run As Administrator. Do this even if you are logged in as an administrator. Always Run As Administrator or results may be unexpected. If you do not see the option to Run As Administrator when right clicking the install file, open up an administrator command prompt and run the install from that window. 

  1. Click on Tool and select Import Target Configuration. (Highlighted in green in below Image)
  2. Paste the Client License Key and click OK and confirm.
  3. Click the ellipses to the right of the Users OU box and select the OU that should be monitored for password changes. If there are multiple containers for users, select the container closest to the root and check the (Sub OU) box. If all containers will be synced, leave the User OU blank and check the Sub OU box.  (Highlighted in magenta in below image)
  4. Verify the Status Box at the bottom of the window shows Active, If showing InActive, toggle the status (Highlighted in red in image below)

Capture.PNG

  1. Click Apply on the main window.
  2. Click Apply again and close PW Sync Client Configuration.
  3. Reboot the Domain Controller.
  4. After it reboots, verify the PWSync Client Service is running and set to Automatic.
  5. Follow steps 1-3 and 7-10 for all other domain controllers. Because the configuration is stored in Active Directory, you do not need to repeat steps 4-6
  6. Windows Server 2003 only: A registry key adjustment may need to occur in order for passwords to be captured. Use regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWare\GoodWorks\PWSync. Please change registry value of the "Mode" key to "1".

Optional Steps to Enable TLS 1.2 

  1. Enable TLS 1.2 in Windows. There are 2 ways to do this:
    1. Recommended: Download IIS Crypto (https://www.nartac.com/Products/IISCrypto) and check the box next to TLS 1.2, then reboot.
    2. Manual: Set the following registry keys:
      1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001
      2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001
  2. Edit two files in the GoodWorks SimplySync Password bin folder (default is C:\Program Files\GoodWorks Communications\Simply Sync Password Client v3.7\bin)
    1. PWSyncClientConfiguration.exe.config
    2. PWSyncClientWindowsService.exe.config
    3. Find this line:
           <add key="Protocol" value="SSL3|TLS"/>
      and change it to:
           <add key="Protocol" value="TLS1.2"/>
    4. Restart PWSync Client Service

Notes:

  • Password changes are synced in real-time and are not queued. If the PWSync Client Service is not running on a domain controller at the time it processes a password change, the change will not sync.
  • If connectivity to https://pws.ct450.com:8991 is unavailable, i.e. Internet access is down, then any password changes during that time will not sync.
    • When browsing to this URL, you should expect to see the page return something similar to what is shown below1.png                   1a.png
  • If the UPN of a user does not exactly match their Connect username the password will not sync

 

Installing Password Sync on Server Core

On another domain controller running the full version of Windows Server (desktop experience):

  1. Open the Registry Editor
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\GoodWorks\PWSync
    1. Add “ServiceIP” as a String
    2. The value needs to be set to the local IPv4 address of the server running the full version of Windows Server

 i. The server needs to be reachable on the local network by the Server Core domain controller

  1. Restart the “PWSync Client” service

On the Server Core domain controller:

  1. Install the PWSyncClient Server Core MSI
  2. Open the Registry Editor
  3. Repeat step 2 from above on this server. Use the same value for ServiceIP on this server as well (the IP of the other domain controller running the full version of Windows Server)
  4. Set HKEY_LOCAL_MACHINE\SOFTWARE\GoodWorks\PWSync\Mode to 1
  5. Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NotificationPackage to the following values:
    1. scecli
    2. rassfm
  6. Restart the Windows Server Core domain controller
  7. Default Port is 666 to connect to proxy server. You can change it in registry if you want

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
  2. Tags
    1. AD
    2. password
    3. Password Sync
    4. stage:published