Hi We have a issue when we are trying to set the intial password with the AD MA. FIM 2010 are RTM without any updates, and we are running against a Windows 2008R2 domain. We are able to create the user, but the user is disabled. We are sending a static password and set the user to enable (512), everything is fine in FIM - but in the AD the user is disabled. We have checked that the MA user, has the rights that it needs, and that the password, that we are sending, meets the requirements for the password policy. We assume that the AM does not set the password at all. We are not able to see the attribute unicodePwd in the request, but we assume that is normal.

Are you sure you are flowing unicodePwd as "Initial Flow Only" and that the static password meets the AD password requirements? It's completely normal that accounts that doesn't receive a password is created disabled. //HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Are you sure you are flowing unicodePwd as "Initial Flow Only" and that the static password meets the AD password requirements? It's completely normal that accounts that doesn't receive a password is created disabled. //HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Hi Henrik, Yes, we are flowing the unicodePwd as "Initial Flow Only", and the password does meet the requirements, we have tested by adding a user manually with that password. Mikkel

Hi Henrik, Yes, we are flowing the unicodePwd as "Initial Flow Only", and the password does meet the requirements, we have tested by adding a user manually with that password. Mikkel

Are you using the FIM portal to configure the sync or do you use the FIMSync only? How did you configure the initial password in provisioning? (Sync rule, or mvextension?) Do you see the any errors in the import/sync/export/confirming import? Did you check for Kerberos errors? Is the FIM server time synced with the AD DC? Kind regards, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Are you using the FIM portal to configure the sync or do you use the FIMSync only? How did you configure the initial password in provisioning? (Sync rule, or mvextension?) Do you see the any errors in the import/sync/export/confirming import? Did you check for Kerberos errors? Is the FIM server time synced with the AD DC? Kind regards, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Hi Peter, We are using the FIM portal and outbound sync rules to create the user. There are no erros in the import/sync/export/confirming import - the only change is the confirming import, where the attribute useraccountcontrol is 514 instead if 512, but that is the actual value in AD. There are no kerberos erros or warnings in the security event log on the DC. The FIM server are time synced with the DC. Best regards, Mikkel

Hi Peter, We are using the FIM portal and outbound sync rules to create the user. There are no erros in the import/sync/export/confirming import - the only change is the confirming import, where the attribute useraccountcontrol is 514 instead if 512, but that is the actual value in AD. There are no kerberos erros or warnings in the security event log on the DC. The FIM server are time synced with the DC. Best regards, Mikkel

I had similar error couple of year ago with MIIS. can't remember exactly whether it was pwdLastSet attribute value but for new users I have this in MapAttributesForExport Case "pwdlastset" If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then If Not csentry("pwdLastSet").IsPresent Then csentry("pwdLastSet").Values.Add(0) End If End If That means setting pwdlastset to 0 on initial flow may help.

I had similar error couple of year ago with MIIS. can't remember exactly whether it was pwdLastSet attribute value but for new users I have this in MapAttributesForExport Case "pwdlastset" If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then If Not csentry("pwdLastSet").IsPresent Then csentry("pwdLastSet").Values.Add(0) End If End If That means setting pwdlastset to 0 on initial flow may help.

and can we see an audit log from an export profile run for new account creation? just to check whether 512 is really exported to AD.

I'm not sure if it's required, but have you got the following set in your AD MA: "Connect to Active Directory Forest" -> Sign and Encrypt LDAP traffic "Configure Extension" -> "Pwd Management" -> (1) enable pwd mgmt, (2) settings -> check "require secure ...", i have retry count as 10, interval as 60 I copy pasted this from http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aab http://setspn.blogspot.com

I'm not sure if it's required, but have you got the following set in your AD MA: "Connect to Active Directory Forest" -> Sign and Encrypt LDAP traffic "Configure Extension" -> "Pwd Management" -> (1) enable pwd mgmt, (2) settings -> check "require secure ...", i have retry count as 10, interval as 60 I copy pasted this from http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aab http://setspn.blogspot.com

Hi all, The problem has been solved. We have a firewall between the DC and FIM - and we had to open for port 464 (UDP and TCP) in order to set the password. Thanks for all the feedback!