Choose your Google authentication method

Before you install Password Sync version 1.6 or later, you need to choose an authentication method. You can use a service account in the Google Cloud Console or 3-legged OAuth.

We recommend using a service account for authentication. If you’re installing Password Sync from the command line, you must use a service account.

You can also use 3-legged OAuth for authentication, but only on Microsoft Windows Server with Desktop Experience. If you have more than 5 domain controllers, we recommend using a service account as manual setup of 3-legged OAuth can be time consuming.

Note: 3-legged OAuth is not available on Windows Server Core.

Use a service account to authenticate

A service account belongs to an application rather than a user. The application sends a request to Google APIs on behalf of the service account, so users aren't directly involved in the authentication process.

Advantages of a service account

  • Multiple domain administrators can manage and monitor a service account. Therefore, even if an administrator changes, Password Sync is unaffected.
  • Service accounts aren't subject to the refresh token limit that affects 3-legged OAuth.
  • Service account credentials are downloaded as a JSON file and can be used on many domain controllers. You don't need to repeat the authorization process for each domain controller.
  • Service accounts don't require a web browser to authenticate. You can configure Password Sync when using Windows Server Core.
  • You can install and configure Password Sync using the command line.

Disadvantages of a service account

  • You must create a project in Google Cloud Console, which makes the setup more complex.

Use 3-legged OAuth to authenticate

With 3-legged OAuth, the application sends a request to Google APIs on behalf of a user. However, unlike a service account, 3-legged OAuth normally requires each user to give the application permission to access their data. For Password Sync, the domain administrator performs this step on behalf of all users in the domain during the setup process. In turn, for Password Sync to successfully synchronize user passwords for every user in a domain, the domain’s administrator must authorize Password Sync on each domain controller.

Note: This option is only available on Windows Server with Desktop Experience.

Advantages of 3-legged OAuth

Disadvantages of 3-legged OAuth

  • It is not available on Windows Server Core.
  • Domains with multiple domain controllers might exceed the token limit.
  • Domains with multiple domain controllers must authorize each domain controller separately. This can be time-consuming.
  • 3-legged OAuth is tied to a single administrator account. If the account is turned off or deleted, Password Sync won't work.
  • Unlike service accounts, usage can't be monitored via the Google Cloud Console.
  • You can't install and configure Password Sync using the command line with 3-legged OAuth.

Next steps

After you choose your authentication method, you're ready to set up Password Sync. Go to Set up Password Sync.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false