Reversed Password
Synchronization

Catch native password changes and automatically commence password synchronization.

When users modify passwords locally on a system where a password synchronization trigger has been installed, new passwords are tested for robustness against the Xpress Password policy. If accepted, the password is modified both on enterprise directory and on other systems where the user has accounts.

An end-user can utilize the native password change process such as the “Ctrl+Alt+Del” option in Windows systems to modify their AD password. Xpress Password prompts the password synchronization process once it notices such a “change password” event in Active Directory.

Using a recognizable and compulsory password change process assures 100% user adoption.

Process

Reversed password synchronization, prompted by a native password modification on a monitored system works as follows:

The user: chooses to change his password(s) or has been prompted to do so during the login process (password has expired).
The user: enters his login ID, current password and desired password.
The login server: verifies password quality internally, then updates the user’s password field internally and calls the Xpress Password interceptor (Reverse Password Sync Agent – RPSA) to notify it of the successful modification.
The Xpress Password interceptor: contacts the Xpress Password server, establishes an encrypted connection and transmits a request for password synchronization.
Xpress Password: queues up the new password for synchronization.
Xpress Password: resolves the singular queued event to a list of passwords that must be set for this user (one per login account).
Xpress Password: administratively sets the user’s passwords on each system to the new password.
Xpress Password: in the event of failure, re-queues and tries again. It may send the user one or more e-mails to communicate the issue and/or may generate a ticket on an incident management system to notify someone of an integration problem.

Technical Details

  • Reversed password synchronization can be prompted from native password changes on Windows 2003/2008/2012 servers and Active Directory domains (password filter DLL on servers and/or DCs).
  • Each of these prompts contacts the Xpress Password server during the password modification, over an encrypted TCP/IP socket (shared key handshake, 256-bit AES encryption):
  • RPSA-XPd connection: validate password quality and commence reversed password synchronization