Password must be synchronized error with Advanced Authentication

Document ID:7024496
Creation Date:23-Mar-2020
Modified Date:13-Jan-2021
- Micro Focus Products:
  Advanced Authentication

Environment

Advanced Authentication

AAF 6.x

AAF Client 6.x

Windows logon event

Situation

Message returned from Windows when authenticating through the Advanced Authentication Windows client:

Password must be synchronized

Resolution

Solution #1:

Install the Logon Filter and enable the Password Filter policy. Note that installing the Logon Filter also installs the Password Filter.

The Password Filter automatically updates the LDAP password in Advanced Authentication whenever the password is reset in AD. For the Password Filter to work correctly it must be installed on ALL domain controllers listed in the repository.

Steps:

Install the Logon Filter on all domain controllers listed in the repository. The Logon Filter is found in the "AdvancedAuthClients" download file, in the "Plugins" folder.
In "Policies" on AA admin page verify that the "Password Filter for Active Directory" is enabled.

For more information see the online documentation at

https://www.netiq.com/documentation/advanced-authentication-63/logon-filter-guide/data/configuring_passwordfilter.html

Solution #2 (if solution 1 has been completed):

On rare occasion the LDAP password and the AD password my become out of sync for a single user, even with the Logon Filter in place. When this occurs the user will receive the above prompt to synchronize,

To synchronize, simply login to the Advanced Authentication enrollment portal with the LDAP password. This will cause Advanced Authentication to capture and store the correct LDAP password.

Additional Information

The Logon Filter msi found in the "AdvancedAuthClients" download file contains both the Logon Filter and the Password Filter. Both are installed on the domain controller when the Logon Filter msi is executed. Logon and Password Filters are are independent of each other but are bundled together in a single msi file simply for convenience to prevent the need for multiple installations on a domain controller.

Note that these filters are separate components with different purposes:

The Password Filter is used to keep passwords in sync between Active Directory and Advanced Authentication.
The Logon Filter, as stated in the Logon Filter Guide, can be used to "... to prevent users to log in without the Advanced Authentication Windows Client. You can also use it to delegate specific permissions when user uses a specific chain."

It is not necessary to configure either the "Logon Filter for Active Directory policy" for the Password Filter to work properly or the "Password Filter for Active Directory" policy for the Logon Filter to work as it should.