Hi, Here's some information on how to enable PCNS logging. This should get you some more information in the event viewer: http://social.technet.microsoft.com/wiki/contents/articles/pcns-logging.aspx Let me know if the information in the event viewer gives you some new insights on why the password sync isn't working. If not, maybe I can help you with the new information. Best regards, Pieter de Loos. Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Hello Pieter, Sorry I forgot to mention this earlier, I did change registry settings to enable verbose logging but no events are being seen inside on FIM Server. Thanks

Hi, Have you restarted the PCNS and FIM Sync service since you have set the registry values?Have you set the registry values on the domain controller as well as the FIM sync server? Best regards, Pieter. Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Hi, Yes I have restarted them and PCNS service too.. Thanks,

We were able to find the culprit in the logging. A mighty space character. A support person too is working with me in this issue. " FeaturePwdSyncLogLevel"=dword:00000003 However, I now get the following message from the event viewer. Event ID - 6904 Information A password notification was rejected by FIM because it could not be located in the connector space. Reference ID: Reference ID of the password change request Source Object GUID: GUID of the user account that originated the password change request. I am trying to figure out the issue with my Management Agent. --Mitul

ISSUE: We are trying to implement Password Sync in FIM2010 for McAfee Endpoint Encryption. McAfee Endpoint Encryption doesn't support direct database calls so password change in McAfee is only done through web service calls. I have created a .NET dll which implements PasswordSync Interface for FIM2010 and then syncs password using the web service of McAfee. I have create an Extensible Management Agent to do this. Implemented .DLL for password sync and following things I have already done. TROUBLESHOOTING 1. All the three checkboxes have been checked which says, Enable Password Sycnrhonization 2. Selected the Target inside Active Directory Management Agent to the Extensible Management Agent. 3. PCNS service is properly configured 4. SPN is configured appropriately. 5. From Domain Controllers, I have verified that the PCNS is sending password change notification to the target web server. However, we are unable to find out why we are not able to see any event logs on the FIM2010 server related to password change notifications from PCNS. On our older ILM implementation we are able to see events 6902,6903,6907 and so on related to pwd synchronization. We do not see those events in FIM2010. Also I am not sure about is "Which profiles to configure for the ECMA" because if I understand it correctly then password sync happens instantaneously. Any help in this direction would be very appreciated. Thanks. Mitul

Ok, so you've made some progress! The error seems to be indicating that the user that changed his or her password is not imported in the connector space. If you open the FIM Synchronization Client and then search the Active Directory connectorspace, can you find the corresponding user there? If not, you should change the org. units in scope for that MA and/or run a new full import. Best regards, Pieter.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Just to clarify #5, do you have PCNS configured to send the passwords to the McAfee web service or to your FIM server? It needs to be directed to the sync engine. You also need to have connectors for each relevant identity to both your AD MA and your custom MA for McAfee. That means running at least a full import and sync on the AD MA (if you've never run one), and doing some kind of import on your custom MA unless it is export only, in which case you'll have to run an export on all the users at the very least. This wouldn't explain why you see no PCNS-related logs on your FIM sync engine, but it is a requirement to make the system work. Chris

Good question Chris. It wouldn't explain why no PCNS logging is present on the domain controller that processed the password change, but it would explain why no PCNS logging is present on the FIM sync engine. Mital, can you please verify the correct configuration on ALL your domain controllers that process password changes? To verify configuration of FIM 2010 as a target for PCNS: Log on to an Active Directory domain controller where PCNS was installed with administrative privileges. At a command-line prompt, navigate to the PCNS installation directory, which is typically C:\Program Files\Microsoft Password Change Notification. Type Pcnscfg LIST, and then press ENTER. Verify that the output listing corresponds to the settings that you configured earlier. You should see the FIM 2010 server name, the SPN for the FIM 2010 service account, the authentication type, the inclusion groups, and any exclusion groups that you configured. Best regards, Pieter.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/