Hi everyone, we are having an issue getting PCNS up and running across two domains. The specific error is: The password change notification target could not be authenticated. User Action: This usually happens under the following conditions: 1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process. 2. The SPN is assigned to more than one Active Directory account. 3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system. 4. There is more than 5 minutes of time variance between this system and the target system. We have reviewed above error in this forum but have not found a solution. We believe it is an incorrect SPN or forest level trust, but we have doubled checked everything against the PCNS documentation and as far as we can tell it is correct. Our set up is as follows: Domain A - Windows 2003 - PCNS installed on all DCs Domain B - Windows 2008 - PCNS DISABLED on all DCs When PCNS start it shows correctly that it is queuing requests as expected FIM 2010 Synch Server is in Domain B Outgoing Domain A trust to Domain B - Forest, Transitive =Yes Ingoing Domain A trust to Domain B- Forest, Transitive =Yes Names suffix routing *.domainB.local enabled Forest wide authentication FIM Server (service running under domainB\FIMSync) - Tools Options"Enable Password Synch" checked - Domain A MA -enabled a password source, domain B MA selected as target - Domain B MA - enable password management selected PCNS config in Domain A: C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe ADDTARGET /N:FIMSERVER /A:mufimtest3.domainB.local /S:PCNSCLNT/mufimtest3.domainB.local /FI:"Domain Users" /FE:"PCNSexclude" /f:3 Target Name...........: FIMSERVER Target GUID...........: yyyy-xxxx-aaaa-bbb-cccccccc Server FQDN or Address: mufimtest3.domainB.local Service Principal Name: PCNSCLNT/mufimtest3.domainB.local Authentication Service: Kerberos Inclusion Group Name..: domainA\Domain Users Exclusion Group Name..: domainA\PCNSexclude Keep Alive Interval...: 0 seconds User Name Format......: 3 Queue Warning Level...: 0 Queue Warning Interval: 30 minutes Disabled..............: False C:\Program Files\Microsoft Password Change Notification>setspn -l domainB\fimsync Registered ServicePrincipalNames for CN=FIMSync,CN=Users,DC=domainB,DC=local: PCNSCLNT/mufimtest3.domainB.local We believe that we have correctly set the SPN for domainB\FIMSync ID in domainA --No SPN has been created in domainB for domainB\FIMSync but clearly something may be wrong Any help on this would be GREATLY appreciated!

Verify using setspn -x that you don't have duplicate SPNs in your environment. You configuration appears to be ok, the SPN value that is displayed here and the other values of your PCNS configuration look right. Typically, though if you get the 6025 error that specifically mentions SPN issues, it usually is an issue with that. You do have the 2-way forest-level trust configured according to this, as well. Verify that in domainA, you don't have that same SPN value configured for any account. That SPN value should only be present on the sync service account in domainB. Hope this helps! Glenn

Are you able to provide more information on the error; Maybe be increasing the log level to verbose HKLM\System\CurrentControlSet\Services\PCNSSVC\Parameters, EventLogLevel (REG_DWORD) 0 = Minimal Logging 1 = Normal Logging 2 = High Logging 3 = Verbose Logging The other thing you could try is changing the username format delivered to the FIM Sync service.to USER_NAME_TYPE_1779 ( /f:1 )

Phil and Glen, Thanks for the quick response we will look at both of your suggestions. Glenn, you mentioned that the SPN value for the sync service account should only be present in domainB. Currently, we have sent the SPN up in domainA where PCNS is running and NOT domainB where the FIM synch server is running. Is it correct to assume that we put the SPN in the wrong domain then?

Phil and Glen, Thanks for the quick response we will look at both of your suggestions. Glenn, you mentioned that the SPN value for the sync service account should only be present in domainB. Currently, we have sent the SPN up in domainA where PCNS is running and NOT domainB where the FIM synch server is running. Is it correct to assume that we put the SPN in the wrong domain then? Yes it's in the wrong place.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Ok, we have set the SPN in domainB where PCNS is running. We have rebooted the DCs as well but we are still getting the same error. Thanks again for all the help!

Make sure you removed it from domainA. There is no entity in domainA, computer or user account, that should have this value. The value should only exist on the sync service account in domainB. ALso, Make sure the PCNS target has the correct SPN for the service account in domainB. You can view this by running command 'PCNSCfg List' on DC in domainA. If this config points to value in domainA, they this is your problem.

Thanks Glenn we will take a look and let you know.

Glenn, Here is the output, its appears to correctly resolve the SPN: The output of "pcnscfg list" on domainA is: C:\Program Files\Microsoft Password Change Notification>pcnscfg list The service configuration is not set. Defaults will be used by the service. Default Service Configuration MaxQueueLength........: 0 MaxQueueAge...........: 259200 seconds MaxNotificationRetries: 0 RetryInterval.........: 60 seconds Targets Target Name...........: FIMSERVER Target GUID...........: xxx-ppp-yyyy Server FQDN or Address: domainBfimTest3.domainB.local Service Principal Name: PCNSCLNT/domainBfimTest3.domainB.local Authentication Service: Kerberos Inclusion Group Name..: domainA\Domain Users Exclusion Group Name..: domainA\PCNSexclude Keep Alive Interval...: 0 seconds User Name Format......: 3 Queue Warning Level...: 0 Queue Warning Interval: 30 minutes Disabled..............: False Total targets: 1 That matches the SPN that was set up. C:\Documents and Settings\Administrator>setspn -l domainB\fimsync Registered ServicePrincipalNames for CN=FIMSync,CN=Users,DC=domainB,DC=local: PCNSCLNT/domainBfimTest3.domainB.local

I did notice that on the delegation tab on the FimSynch account in domainB that Kerberos was not turned on for that account. Would that have something to do with the issue?

Delegation is not involved in this scenario. The FIM Sync account is an endpoint for the PCNS. No delegation to other resources is required. In this topic I got the basic steps explained: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b6745f0d-f80c-497e-9feb-e0e8b77f46c9 Read it, perhaps something comes to your mind. http://setspn.blogspot.com

Ok, it turned out our issue was related to the DNS set up of the DCs. Thanks to all for your assistance and hopefully this will help someone else.