You must maintain a valid password for the Hybrid Services > Calendar Services > Microsoft Exchange Configuration. This step is critical to maintaining service operation. The calendar connector uses the password of the impersonation account continuously for authentication in communications with Active Directory domain controllers and Exchange Client access servers.

Consider the following to reduce the risk of a service outage due to an invalid password:

  • The calendar connector does not raise an alert when the password expires. Be aware of the password policy for any impersonation accounts, especially the password expiration period. Ensure that the password for the impersonation account is changed well before when the password expires.

  • When performing any change of the password for the impersonation account (due to its upcoming expiration or another reason), you must coordinate the manual update of the Microsoft Exchange Configuration for the Calendar Service to coincide with the change of the password in Active Directory. The Calendar Service may not be able to perform operations in the following cases:

    • If the Microsoft Exchange Configuration record password is updated before the new password is in effect in Active Directory and Exchange.

    • If the old password becomes invalid before updating the Microsoft Exchange Configuration record password.

  • Propagation of a new password throughout Active Directory and Exchange is not always immediate, especially in larger organizations. After performing a password change for the impersonation account, a temporary service outage may occur for some users.

For these reasons, we recommend that you have two identically configured impersonation accounts for the Calendar Service, with staggered password expiration.

An Example Password Rotation Strategy

In this example, the password expiration period for calaccountA@example.com and calaccountB@example.com is 180 days. To be conservative, the administrator chose to rotate the accounts every two months. The actual password expiration period for your organization may be different.

January 1, 2017

  • Create two impersonation accounts: calaccountA@example.com and calaccountB@example.com.

  • Configure the accounts as specified in the Hybrid Calendar Service documentation.

  • Set a new password for both accounts.

  • When configuring Hybrid Services > Calendar Services > Microsoft Exchange Configuration, use calaccountA@example.com.

March 1, 2018

Change the password for calaccountB@example.com.

March 8, 2018

Update Hybrid Services > Calendar Services > Microsoft Exchange Configuration to use calaccountB@example.com with the new password set on March 1.

May 1, 2018

Change the password for calaccountA@example.com.

May 8, 2018

Update Hybrid Services > Calendar Services > Microsoft Exchange Configuration to use calaccountA@example.com with the new password set on May 1.

July 1, 2018

Change the password for calaccountB@example.com.

July 8, 2018

Update Hybrid Services > Calendar Services > Microsoft Exchange Configuration to use calaccountB@example.com with the new password set on July 1.

Continue this password rotation process.