Password Synchronization Performance.

book

Article ID: 53148

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description

You may encounter a slow password re-set or password re-set failure if multiple passwords are being re-set in fast succession. This is because by default, the Provisioning Server sets a ten minute wait value between password synchronizations.

Example:

  • Help desk personnel resets a users password within Identity Manager.
  • The "Password Must Change" checkbox is checked.
  • The user logs into Active Directory via his workstation with a new temporary password and also gets the message to change his password.
  • The user enters a new password but the change fails.
  • The password synchronization log records an error message: Password check for Active Directory Account 'test, user' on 'AD-Test' failed: Another password change is in progress.
  • User waits ten minutes and repeats the steps, this time successfully.

Solution

The default ten minute wait value can be adjusted through the Provisioning Manager.

In the Provisioning Manager select Domains, Configuration/Password Synchronization/Agent Response Threshold.
There you will see the 600 seconds(10 mins) defined.
Edit this value down to 300 seconds and re-test.

Note:
The Password Sync Speed is also based on your Network and Hardware performance.
There is a risk of password changes stepping on each other if this value is set to low. Especially when you have multiple endpoints involved. If your Network and Hardware are fast, lowering this value should not pose too much of a problem. However, you would need to test and monitor this to ensure that the modification is not causing any residual issues.

Environment

Release:
Component: IDMGR