Using Centrify password synchronization

You can install the Centrify Password Synchronization program using the Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service setup program. Alternatively, you can install Centrify Password Synchronization independent of the the Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service using it own setup program. If you install the Centrify Password Synchronization program using the setup program, you can skip this section.

To install the Centrify Password Synchronization program:

  1. Copy the CentrifyDC_PasswordSync-n.n.n-win64 package to your Active Directory domain controller.
  2. Open the CentrifyDC_PasswordSync-n.n.n-win64 executable or Microsoft software installation (.msi) file to start the setup program.

    Note that you can run the setup program interactively or silently if you use the Microsoft software installation (.msi) file. If you are installing silently using the msiexec program, you can skip the steps in this section.

  3. At the Welcome page, click Next.
  4. Review the terms of the license agreement. If you accept the license agreement, select I accept the terms of the license agreement, then click Next.
  5. Type your name and company, select who should be able to use this application on the computer, then click Next.
  6. Select a restart option, then click Finish.

Once installed, the Centrify Password Synchronization program will generate the initial password hash when users next change their password, then update the password hash at each password change thereafter. The password hashes are created using DES encryption with a two character salt. If the password hash is stored in the altSecurityIdentities attribute, it has a prefix of cdcPasswordHash, for example:

cdcPasswordHash:VkievQ69VhYKc

If the password hash is stored in one of the other supported attributes, it is stored without a prefix.

When a user changes his Active Directory password, the Centrify Password Synchronization program discovers the zones to which that user has access and updates the appropriate attribute that holds the password hash for that user in each zone.

Note:   The initial password hash is only generated when the user changes his password. You may want to force users to change their password at the next logon to get the password set at the earliest opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the user’s password hash has not been set.