The vast majority of Password Synchronization issues can be resolved by following the steps in this article. If the steps below do not resolve your issue, please enable Debug Logging per the instructions at the end of this article and attach the log file to the support ticket
Reboot the Domain Controllers
The first place to begin troubleshooting password synchronization issues is on the Domain Controller(s) the Password Sync Client is installed on. If you change a password on that domain controller and nothing is written to the Password Client log file then:
1. Make sure the Password Client Service is running. It is listed in services.msc as MessageOps Password Client Service.
2. Make sure the domain controller was rebooted after installing the Password Client. This is a requirement for the Password Client as the DLL used to capture the Password can only be loaded at system startup.
Ensure the Office 365 PowerShell Module is Installed and Working
One of the most frequent problems is the Office 365 PowerShell Module is not installed, or it cannot connect to Office 365 on the server that is running the Password Server Service.
You can download the module here:
Install the Office 365 cmdlets
To test that the module is installed, open a PowerShell window on the Password Server and run:
If you don’t get an error, then it’s installed properly. Next run:
Type in your credentials when prompted. If you get connected, you could run the following command to ensure that you are connected properly:
get-msoluser -MaxResults 10
If you are unable to get connected, then it’s typically a problem with a firewall/proxy.
If you get an authentication error, one thing to try is uninstalling and reinstalling the Sign in Assistant, as we have seen that clear up authentication issues with the module.
Ensure the Matching Attribute in AD matches the Identity in Office 365
If you are receiving errors about the user not being found in Office 365, ensure the matching attribute in Active Directory matches the Identity in Office 365. When configuring the Password Client on the Domain controllers, in the LDAP Server area you can specify the matching attribute as either the mail or userprincipalname. Which ever value is chosen should be populated in the local Active Directory and match the identity in Office 365.
Encountered blank auth result, restarting core
If you downloaded Password Synchronization prior to 12/18/2012 and have installed the Windows Management Framework 3.0 (KB2506143), which includes PowerShell 3.0, you will need to download and re-install the Password Server Service. You do not need to re-install or reconfigure the Password Clients. Before uninstalling the Password Server, you will need to record the settings on the Configuration Tab, Alerts Tab, and the License Key on the About tab and re-enter the information after the re-installation.
Click here to download the latest version of the Password Server
An alternative is to not install the Windows Management Framework 3.0, or uninstall it and reboot, which will revert the PowerShell version back to to 2.0, allowing the Password Server to resume functioning.
Enable Debug Logging
If you are having problems with the Password Sync which are not addressed in the documentation or support pages, it may be necessary to enable Debug Logging on the Password Server Service. Follow the steps below to enable Debug Logging.
1. On the server that is running the Password Server Service, browse to the c:\program files(x86)\MessageOps\PasswordServerService directory.
2. Create a file called Debug.Debug2
- This file just has to exist to enable debug logging.
- Make sure it does not have a .txt or any other extension on it.
3. Stop and Start the Password Server Service.
4. Reset a test user’s password in Active Directory Users and Computers. Do this even if you are unable to verify the credentials in the Password Server Admin. Note, for this to work the Password Client Service must be installed on the Domain Controller you are resetting the password on and the Domain Controller must have been rebooted after the installation.
5. Detailed information should now be written to the Daily Log file YYYY-MM-DD_service.log.
6. Provide this log information (not the Debug.Debug2 file) to MessageOps Support.
BADCREDENTIALS in Debug Log
In rare cases after enabling debug logging, you might see the error BADCREDENTIALS, even though you are sure you have entered the credentials for the Global Admin account correctly and you have verified you can manually connect to Powershell, try these steps to see if the resolve the issue.
1. Run the Password Server Admin as Adminstrator (right click the MessageOpsPasswordServerAdmin.exe and choose Run as Administrator) and re-enter the admin username and password and hit save config and stop and start the service. Then try and reset a password and see if it goes through.
2. If that doesn't work, then go into sevices.msc and set the MessageOps Password Server Service, to run as the user account you are logged into the local system with, when you are manually running the command to connect to Powershell.