Event ID 8202 — Windows to UNIX Password Synchronization Service -- Run-time Issues

Applies To: Windows Server 2008 R2

Windows to UNIX Password Synchronization Service -- Run-time Issues indicates the functionality of Windows to UNIX password synchronization operations.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Event Details

Product: Windows Identity Management for UNIX
ID: 8202
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_ERROR_GENERIC_ON_REMOTE
Message: Generic error for user on the specified host. %ruser = %1 %rhost = %2

Resolve

Check and correct UNIX-based Password Synchronization configuration

A generic error occurred for user username on the specified host. This error typically originates in the UNIX environment. Make sure that the user account exists on the UNIX-based computer, and that Password Synchronization has been configured in accordance with guidelines in Best Practices for Password Synchronization in the Password Synchronization Help.

If, after checking the UNIX environment, you find that the UNIX-based user account exists, make sure that Password Synchronization has been configured in accordance with guidelines in Best Practices for Password Synchronization in the Password Synchronization Help, especially the following sections that describe how UNIX-based users should be identified to the Windows-based computer running Password Synchronization.

Best Practices for Password Synchronization

  • Explicitly list the users whose passwords are to be synchronized To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize.
  • Do not synchronize passwords for disabled UNIX accounts On some versions of UNIX, changing the password of a disabled user account activates that account. Consequently, if a user has a disabled account on a UNIX computer that is configured to synchronize passwords with a Windows-based computer, the user or an administrator can activate the UNIX account by changing the user's Windows password. To prevent this, use the PasswordPropDeny group to block synchronization for disabled UNIX accounts. Also, when an administrator disables a UNIX account, the administrator should use the SYNC_USERS entry in sso.conf to block password synchronization for the account.
  • Avoid synchronizing administrator passwords Do not synchronize passwords for members of the Windows Administrators groups or the passwords of UNIX superuser or root accounts.

Add a computer for synchronization

To add a computer for synchronization:

  1. Open the Identity Management for UNIX management console by clicking Start, pointing to Administrative Tools, and then clicking Microsoft Identity Management for UNIX.

    You can also open the Identity Management for UNIX management console from within Server Manager, by expanding Roles and then Active Directory Domain Services in the hierarchy pane, and then selecting Microsoft Identity Management for UNIX.

  2. If necessary, connect to the computer you want to manage.

  3. In the hierarchy pane, under the Password Synchronization node, click UNIX Computers, and then do one of the following.

    • Right-click UNIX Computers, and then click Add Computer.
    • Click Add Computer in the Actions pane.
    • On the Action menu, click Add Computer.
  4. In the Computer name text box of the Add Computer dialog box, provide the name or IP address of a UNIX-based computer.

  5. In the Direction of password synchronization area, select the direction of password synchronization for this computer.

  6. If necessary, specify a different encryption key than the default key, or click Generate key to have Password Synchronization generate a new key for synchronization with this computer.

  7. If necessary, change the port number this computer monitors for password changes. The default is 6677. Click OK.

Verify

Retry Windows to UNIX password synchronization for failed user password changes to verify that it is operational. Password Synchronization is fully operational when the password synchronization succeeds, and operating under warning conditions if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the Windows to UNIX Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

Windows to UNIX Password Synchronization Service -- Run-time Issues

Identity Management for UNIX