Hi,

We have 2 forests, ForestA and ForestB.

FIM is deployed in ForestA.

FIM is synchronising users from ForestB (via ForestB MA) to ForestA (via ForestA MA).

ForestA and ForestB are connected via a 2 way Kerberos Trust.

All firewalls have been disabled between the virtual machines.

In ForestB we have deployed PCNS and ran the following command: pcnscfg ADDTARGET /N:FIMServer /A:FIM01.forestA.com /S:PCNSCLNT:FIM01.forestA.com /FI:"Domain Users" /f:3

In ForestA we have registered the SPN as: setspn -A PCNSCLNT/FIM01.forestA.com ForestA\FIMSyncService

FIM is importing users from ForestB and successfully provisioning them in ForestA.

FIM is configured as follows:

• FIM/Tools/Options/ Enable Password Synchronization is selected
• ForestB MA is configured as the Password Synchronization source / with ForestA selected as the Target MA
• ForestA MA / Configure Extensions / Enable Password Management is enabled

However, when a user changes their password in ForestB, event viewer on ForestB domain controller errors with:

Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be authenticated.

Additional Details:
 
Thread ID: 4300
Tracking ID: xxx...
User GUID: xxx...
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 60
Queued Notifications: 1
0x00000721 - A security package specific error occurred.
 
ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1461
Flags is 0
NumberOfParameters is 0

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 141
Flags is 0
NumberOfParameters is 1
Long val: -1073

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 3
Status is -1073
Detection location is 140
Flags is 0
NumberOfParameters is 4
Long val: 16
Long val: 6
Unicode string: PCNSCLNT/FIM01.FORESTA.COM
Long val: 681

Any ideas?

• Edited by Shim Kwan Wednesday, April 09, 2014 8:40 AM

Hi!

You need to register the SPN to the account thats running FIM Sync like this.

setspn.exe -S PCNSCLNT/FIMSyncServer.ForestA ForestA\<FIM Sync ServiceAccount>

You can check the SPN woth this command:

SETSPN -L FIMSyncService Service Account

Please Check this:

This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.

Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx#The_password_change_notification_target_could_not_be_authenticated

http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

/Robert

• Edited by Robert Kielén Monday, April 07, 2014 1:47 PM Update

Hi,

I have reviewed every single setting, and walked through your links. Nothing. I restarted the FIM Sync Server, and now get the following errors:

Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be contacted.
User Action:
The target server may not be running. Verify that the target server is running.
Additional Details:
Thread ID: 1264
Tracking ID: xxx...
User GUID: xxx...
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 123
Queued Notifications: 22
0x000006D9 - There are no more endpoints available from the endpoint mapper.
 
ProcessID is 1364
System Time is: 4/9/2014
Generating component is 2
Status is 1753 - There are no more endpoints available from the endpoint mapper.
Detection location is 501
Flags is 0
NumberOfParameters is 4
Unicode string: ncacn_ip_tcp
Unicode string: FIM01.FORESTA.COM
Long val: -647
Long val: 382

Additionally found this in System log...which might be the source of the problem?

A Kerberos error message was received:

 on logon session

 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN

 Extended Error: 0xc0000035 KLIN(0)

 Client Realm:

 Client Name:

 Server Realm: FORESTA.COM

 Server Name: PCNSCLNT/FIM01.FORESTA.COM

 Target Name: PCNSCLNT/FIM01.FORESTA.COM@FORESTA.COM

 Error Text:

 File: 9

 Line: 12be

 Error Data is in record data.

• Edited by Shim Kwan Wednesday, April 09, 2014 8:39 AM

Could you show us your pcnscfg settings? Were there any errors when you added the target? 

sure, here it is:

Targets
  Target Name...........: FIMServer
  Server FQDN or Address: FIM01.FORESTA.COM
  Service Principal Name: PCNSCLNT/FIM01.FORESTA.COM
  Authentication Service: Kerberos
  Inclusion Group Name..: FORESTB\Domain Users
  Exclusion Group Name..:
  Keep Alive Interval...: 0 seconds
  User Name Format......: 3
  Queue Warning Level...: 0
  Queue Warning Interval: 30 minutes
  Disabled..............: False

Not sure if I mentioned this, but all the Domain Controllers are Windows Server 2012.

FIM 2010 R2 build 4.1.3508.0 is running on Windows 2012 too.

Hi!

Most likely this is the same problem as in this thread http://social.technet.microsoft.com/Forums/en-US/d3746e05-ec6e-4886-8ac4-c40ebda36097/pcns-the-password-change-notification-target-could-not-be-authenticated?forum=ilm2

This might be more of a DC/DNS issue.

/Robert

Unfortunately we could not get this resolved and are going to recreate the VMs from scratch.

VMs recreated. Followed the same PCNS deployment guide. Things are now working.

Hi!

Good to hear that.

/Robert

thank you for everyone's help in the matter!