Password synchronization process flow
Here are the steps that are taken to push a Windows user's new password in Active Directory to the HTTP password field in a Person document and to the Notes ID in the ID vault.
This is a one-way process from Active Directory to Domino. Password changes made in Domino cannot be pushed to Active Directory.
Steps taken on the Active Directory domain controller
- The Local Security Authority (LSA) process running on the domain controller receives a Windows password change request and processes it in Active Directory.
- The LSA passes the user name and new password to the Domino password library running on the domain controller.
- The Domino password library finds the objectGUID value for the user in Active Directory and uses directory assistance to look up the objectGUID value in the Domino directory. If the value isn't found, processing stops.
- If the objectGUID value is found in the Domino directory, the Domino password library creates a document in its local Password Change Request database. The document contains the objectGUID value and the password, securely stored.
- The Domino password library periodically checks for new requests in the Password Change Request database. When it finds requests, it searches its stored list of Request Processor servers and sequentially attempts to open the password request storage database on each until it is able to open one.
- The Domino password library copies each request found in its storage database to the one on the Request Processor server. It then deletes the document from its local database. If unable to open the database on any Request Processor server, the new document remains in the local Password Change Request database and the password library continues to try to transfer any requests. If it us unable to copy the request within the time specified in the Request expiration time field in the Configuration Settings document it uses, it deletes the request document.
Steps taken by Domino Request Processor
- Request Processor servers in the Domino domain periodically check for unprocessed requests in their Password Change Request database. When a server finds a password change request, it uses the objectGUID value in the request to look up the user in the Domino directory. If the lookup fails, the request document is deleted.
- If the Request Processor server is configured to sync HTTP passwords, it changes the HTTP password in the user's Person document in the Domino directory on the administration server. If the administration server is unavailable, the server periodically retries submitting the request. If it us unable to submit the request within the time specified in the Request expiration time field in the Configuration Settings document it uses, it deletes the request document. If an HTTP password change fails, the Notes ID password is not changed in the following step.
- If the Request Processor server is configured to sync Notes ID passwords in the ID vault, it resets the Notes ID password in the ID vault. If the Notes ID password change fails, any HTTP password change is rolled back.