We recommend using a service account for authentication. You can use 3-legged OAuth for authentication, but only on Microsoft® Windows® Server with Desktop Experience, and if you’re using 1 or 2 domain controllers. If you’re installing GSPS from the command line, you must use a service account.
Note: 3-legged OAuth is not available on Windows Server Core.
Use a service account to authenticate
A service account belongs to an application rather than a user. The application sends a request to Google APIs on behalf of the service account, so users aren't directly involved in the authentication process.
Advantages of using a service account
- Multiple domain administrators can manage and monitor a service account. Therefore, even if an administrator changes, GSPS is unaffected.
- Service accounts aren't subject to the refresh token limit.
- Service account credentials are downloaded as a JSON file and can be used on many domain controllers. You don't need to repeat the authorization process for each domain controller.
- Service accounts don't require a web browser to authenticate. You can configure GSPS when using Windows Server Core.
Disadvantages of using a service account
- You must create a project in the GCP console, which makes the setup more complex.
Use 3-legged OAuth to authenticate
With 3-legged OAuth, the application sends a request to Google APIs on behalf of a user. However, unlike a service account, 3-legged OAuth normally requires each user give the application permission to access their data. For GSPS, the domain administrator performs this step on behalf of all users in the domain during the configuration process. In turn, for GSPS to successfully synchronize user passwords for every user in a domain, the domain’s administrator must authorize GSPS on each domain controller.
Note: This option is only available on Windows Server with Desktop Experience.
Advantages of 3-legged OAuth
- Using 3-legged OAuth is simple and requires only one setup step.
Disadvantages of 3-legged OAuth
- It is not available on Windows Server Core.
- Domains with multiple domain controllers may exceed the token limit.
- Domains with multiple domain controllers must authorize each domain controller separately. This can be time-consuming.
- 3-legged OAuth is tied to a single administrator account. If that account is disabled or deleted, GSPS won't work.
- Unlike service accounts, usage can't be monitored via the GCP console.
- You can't install and configure GSPS using the command line with 3-legged OAuth.
After you choose your authentication method, you're ready to set up GSPS. See Set up G Suite Password Sync.