:: Home : Products : Password Management : SecurPass-Sync : Examples

SECURPASS:SYNC®: Password Synchronisation

SECURPASS:SYNC®: Password Synchronisation across multiple platforms & applications to enhance security & save helpdesk costs. The same password is used for access to all platforms & all applications using best security policies & password changes are automatically propagated. Users may also be quickly revoked, resumed & deleted from a single point thus improving security.

Diagrams for process of Password Synchronisation. We have given just a few of the many different scenarios. Please call to speak to one of our technical consultants who will show how we can help in your specific circumstances.

1. Flow of Password Change – LDAP
2. NT Account Change Notification
3. Password Harmonisation
4. Microsoft Host Security Integration
5. Windows 2000 Environment

1. Flow of Password Change – LDAP

(1)     In the diagram, a password change is made on the mainframe.  This change is communicated down to the Windows NT or Windows 2000 side.  SecurPass:Sync, running on the Windows NT system, then makes that change to the Windows NT or Windows 2000 security system. 
(2)     If the user has been set up to have their changes sent to the LDAP servers, SecurPass:Sync will communicate these changes and they will be propagated to the appropriate servers.

2. NT Account Change Notification

(1) The SecurPass Account Change Notification Component consists of two separate pieces.  The first is a .DLL that is loaded by the Windows NT operating system. Any time a user on a Windows NT network changes their password, the SecurPass Account Change Notification receives information about a password change, and it communicates this change over to the SecurPass:Sync Server. The second piece runs as a Windows NT service.  This service is responsible for the detection of account revokes and resumes, as well as the passing of these requests to the SecurPass:Sync Server.  The SecurPass Account Change Notification service monitors the security event log for these types of changes and notifies the SecurPass:Sync Server when any are detected.  In the above scenario, the SecurPass:Sync Server and the PDC, which has SecurPass Account Change Notification installed, are in the same domain.  This does not have to be the case.  The SecurPass:Sync Server could have been installed in a resource domain.
(2) When the SecurPass:Sync Server receives the request from the SecurPass Account Change Notification, it must determine if this user ID needs to be synchronized with any remote systems.  This determination is made by checking the group in User Manager for Domains (Windows NT SAM), SecurPass:Sync will have created a group for each remote SecurPass:Sync machine with which the server will communicate.  Therefore, any user who is a member of a group associated with a remote system will have his password synchronized with that remote system.  Once the SecurPass:Sync Server determines that the account should be synchronized with a remote system, it establishes communications with the remote system and sends it the information necessary to perform the change on that system.  This process is repeated for each remote system that needs to receive the change.

3. Password Harmonisation

(1)     Using SecurPass:Sync to perform password harmonization only adds a few more steps to the flow of a password change.  In this scenario, the SecurPass:Sync Account Change Notification component will hold the password change request until SecurPass:Sync has communicated with the SecurPass:Sync Server to confirm that the password conforms to the rules defined on the mainframe.
(2)     When the SecurPass:Sync Server receives the request from the SecurPass:Sync Account Change Notification component, it communicates the necessary information to the mainframe and waits for its response.
(3)     The mainframe verifies that the new password conforms to the rules defined on the mainframe.  If it is a valid password, a return code of zero is sent back to the SecurPass:Sync Server running on Windows NT.
(4)     The SecurPass:Sync Server informs the Account Change Notification component that it can release the change and allow the password to be updated.  If the password did not conform to the rules defined on the mainframe, the end-user receives a message stating that their new password was invalid and they should attempt another password change.

4. Microsoft Host Security Integration

(1)     A user’s password is changed on the NT system.
(2)     The SNA Windows NT Account Synchronization service, which is running on the PDC of the Master domain, detects a password change request.  It notifies the SNA Windows NT Account Synchronization service that is running on the PDC of the resource domain where the change took place.  This service communicates with the SNA Host Account Cache, which also resides on the PDC of the resource domain, to determine if the account on the Windows NT side is mapped (account names on disparate systems are different from one another) or replicated (account names on disparate systems are the same as one another) with the account on the remote system.
(3)     The SNA Windows NT Account Synchronization service communicates to the SNA Host Account Synchronization service to continue the password propagation.
(4)     The SNA Host Account Synchronization service calls the SecurPass:Sync Server.  This server establishes a session with SecurPass on the remote system and communicates the password change.  Communications between SecurPass:Sync for Windows and SecurPass:Sync for OS/390 can take place via SNA or TCP/IP.  When SecurPass:Sync for OS/390 receives this notification, it changes the password for the appropriate mainframe account.

5. Windows 2000 Environment

(1)     In a Windows 2000 environment there is no sure way to determine which machine will process a password change request.  Therefore we require the SecurPass Account Change Notification component to be installed on all Domain Controllers.  When a password is changed, the domain controller that receives the change will call the SecurPass Account Change Notification component and pass it the relevant information.
(2)     At this point the SecurPass Account Change Notification component will encrypt the information and send it off to the SecurPass:Sync Server. When the SecurPass:Sync Server receives the request from the SecurPass Account Change Notification component, it must determine if this user ID needs to be synchronized with any remote systems.  This determination is made by checking the local group that was created by SecurPass:Sync when the software was configured to communicate with other remote systems. Therefore, any user who is a member of a group associated with a remote system will have his password synchronized with that remote system.
(3)  Once the SecurPass:Sync Server determines that the account should be synchronized with a remote system, it establishes communications with the remote system and sends it the information necessary to effect the change on that system.  This process is repeated for each remote system that needs to receive the change.