Compare Password Synchronization Manager Scenarios
- 01 Oct 2024
- 3 Minutes à lire
- SombreLumière
- PDF
Compare Password Synchronization Manager Scenarios
- Mis à jour le 01 Oct 2024
- 3 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Scenario A: Asynchronous mode
Figure: Password Synchronization Manager – asynchronous mode (overview)
Asynchronous password synchronization via OneSpan Authentication Server
The client initiates and sends a password change request to the domain controller.
The LSA on the domain controller triggers the password filter to verify whether the password change request is acceptable.
The password filter immediately accepts the password change request.
The LSA on the domain controller sets the new password.
The LSA on the domain controller notifies the password filter that the password has been changed.
The password filter queues the password change request.
The password change queue is processed asynchronously:
The password filter attempts to establish a connection to OneSpan Authentication Server, unless an idle connection of previous communication is still active.
When a connection has been established, the password filter sends the next password change request to the OneSpan Authentication Server instance.
OneSpan Authentication Server verifies the password change request and writes the new password to the underlying database.
OneSpan Authentication Server returns the result of the password change request to the password filter.
If the password change queue is not empty, the password filter proceeds with the next password change request.
The password filter returns a success message to the domain controller.
The LSA on the domain controller returns a success message to the client.
Additional considerations
Password change requests remain in the password change queue until they are processed by the OneSpan Authentication Server instance.
If the queue is full, new password change requests are ignored and not synchronized with the OneSpan Authentication Server database. A corresponding message is added to the Windows event log.
If Password Synchronization Manager is disabled or restarted, the password change queue is flushed and all pending password change requests fail.
You can determine the size of the password change queue using the Number of password changes delayed option set via PSM Remote Configuration Manager.
You can determine the time span how long an idle connection to an OneSpan Authentication Server instance is kept (step 6(a)) using the Connection idle timeout option set via PSM Remote Configuration Manager.
If no connection to the OneSpan Authentication Server instance can be established, the password change request is delayed. A corresponding message is added to the Windows event log.
You can determine the time span after which the password filter retries to establish a connection to a OneSpan Authentication Server instance (step 6(a)) using the Connection retry timeout option set via PSM Remote Configuration Manager.
Scenario B: Synchronous mode
Figure: Password Synchronization Manager – synchronous mode (overview)
Synchronous password synchronization via OneSpan Authentication Server
The client initiates and sends a password change request to the domain controller.
The LSA on the domain controller triggers the password filter to verify whether the password change request is acceptable.
The password filter attempts to establish a connection to OneSpan Authentication Server, unless an idle connection of previous communication is still active.
The LSA on the domain controller is blocked and waits for the password filter to return a result.
When a connection has been established, the password filter accepts the password change request.
The LSA on the domain controller sets the new password.
The LSA on the domain controller notifies the password filter that the password has been changed.
The password filter sends the password change request to the OneSpan Authentication Server instance.
OneSpan Authentication Server verifies the password change request and writes the new password to the underlying database.
OneSpan Authentication Server returns the result of the password change request to the password filter.
The password filter returns a success message.
The LSA on the domain controller returns a success message to the client.
Additional considerations
You can determine the time span how long an idle connection to a OneSpan Authentication Server instance is kept (step 3) using the Connection idle timeout option set via PSM Remote Configuration Manager.
You can determine the maximum time span to establish a connection to a OneSpan Authentication Server instance (Step 3) using the Connection timeout option set via PSM Remote Configuration Manager.
You can allow password changes even if no connection to a OneSpan Authentication Server instance can be established (Step 3). To do so, specify the Allow password changes when connection attempt fails option in PSM Remote Configuration Manager as needed.
If you select this option and a user changes the password, it is no longer synchronized with the password stored by OneSpan Authentication Server. If you clear this option, password changes are denied with an error message.
The actual password synchronization takes place between Step 6 and Step 10. You can determine the maximum time span for this operation using the Password change timeout option set via PSM Remote Configuration Manager.
Cet article vous a-t-il été utile ?