Cross-forest PCNS issues

Hi,

We have 2 forests, ForestA and ForestB.

FIM is deployed in ForestA.

FIM is synchronising users from ForestB (via ForestB MA) to ForestA (via ForestA MA).

ForestA and ForestB are connected via a 2 way Kerberos Trust.

All firewalls have been disabled between the virtual machines.

In ForestB we have deployed PCNS and ran the following command: pcnscfg ADDTARGET /N:FIMServer /A:FIM01.forestA.com /S:PCNSCLNT:FIM01.forestA.com /FI:"Domain Users" /f:3

In ForestA we have registered the SPN as: setspn -A PCNSCLNT/FIM01.forestA.com ForestA\FIMSyncService

FIM is importing users from ForestB and successfully provisioning them in ForestA.

FIM is configured as follows:

  • FIM/Tools/Options/ Enable Password Synchronization is selected
  • ForestB MA is configured as the Password Synchronization source / with ForestA selected as the Target MA
  • ForestA MA / Configure Extensions / Enable Password Management is enabled

However, when a user changes their password in ForestB, event viewer on ForestB domain controller errors with:

Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be authenticated.

Additional Details:
 
Thread ID: 4300
Tracking ID: ad7d5acb-74ca-448e-9496-a4944260b955
User GUID: b6d8f3f9-d115-4331-816a-8af98683beda
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 460
Queued Notifications: 1
0x00000721 - A security package specific error occurred.
 
ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1461
Flags is 0
NumberOfParameters is 0

ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 141
Flags is 0
NumberOfParameters is 1
Long val: -1073741413

ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 3
Status is -1073741413
Detection location is 140
Flags is 0
NumberOfParameters is 4
Long val: 16
Long val: 6
Unicode string: PCNSCLNT/FIM01.FORESTA.COM
Long val: 68126

Any ideas?

April 7th, 2014 3:44am

Hi!

You need to register the SPN to the account thats running FIM Sync like this.

setspn.exe -S PCNSCLNT/FIMSyncServer.ForestA ForestA\<FIM Sync ServiceAccount>

You can check the SPN woth this command:

SETSPN -L FIMSyncService Service Account

Please Check this:

This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.

Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx#The_password_change_notification_target_could_not_be_authenticated

http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

/Robert


Free Windows Admin Tool Kit Click here and download it now
April 7th, 2014 9:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics