Hi everyone, I am having an issue getting PCNS up and running across two domains.

The specific error is: The password change notification target could not be authenticated.

User Action: This usually happens under the following conditions:

1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.

2. The SPN is assigned to more than one Active Directory account.

 3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.

4. There is more than 5 minutes of time variance between this system and the target system.

I have reviewed above error in this forum but have not found a solution as yet. I believe it is an incorrect SPN or forest level trust, I have doubled checked everything against the PCNS documentation and as far as we can tell it is correct.

Our set up is as follows:

Domain A - Windows 2008 R2 - PCNS installed on all DCs

Domain B - Windows 2008 R2- PCNS DISABLED on all DCs

When PCNS start it shows correctly that it is queuing requests as expected

FIM 2010 Synch Server is in Domain B

Outgoing Domain A trust to Domain B - Forest, Transitive =Yes

Ingoing Domain A trust to Domain B- Forest, Transitive =Yes


FIM Server (service running under domainB\FIMService)

- Tools Options"Enable Password Synch" checked

- Domain A MA -enabled a password source, domain B MA selected as target

- Domain B MA - enable password management selected

PCNS config in Domain A:

pcnscfg ADDTARGET /N:sso-fed-app2 /A:sso-fed-app2.bpo-shared-fim.ad.hp1.com /S:PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com /FI:"Domain Users" /FE:"Domain Admins" /F:1 /I:600 /D:False /WL:20 /WI:60


Targets
  Target Name...........: SSO-FED-APP2
  Target GUID...........: 10A7BDA1-873A-4DCC-AFCD-5C7941990684
  Server FQDN or Address: sso-fed-app2.bpo-shared-fim.ad.hp1.com
  Service Principal Name: PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com
  Authentication Service: Kerberos
  Inclusion Group Name..: CORP\Domain Users
  Exclusion Group Name..: CORP\Domain Admins
  Keep Alive Interval...: 600 seconds
  User Name Format......: 1
  Queue Warning Level...: 20
  Queue Warning Interval: 60 minutes
  Disabled..............: False


On Domain B i have set
Setspn.exe -A PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com bpo-shared-fim\FIMService

Any help on this would be GREATLY appreciated

thanks, Vadiraj

Vadiraj,

In which Domain you are provisioning Users to?

Which user account you are using for sync?

I can see you have Set the SPN to 'fimservice' account, which is incorrect. You have to use the account 'fimsync' and set this as SPN and remove the SPN from 'fimservice' account. Now, I think the issue might be resolved.

Regards,

Manuj Khurana

Hi Manjunath,

    Thanks for the reply. But i dont think it is FIMService related issue. Infact i have tested with FIMService in my earlier deployment where FIM Server & PCNS were deployed as member of source Active directory domain forest. Now my current requirement is that FIM server is not part of source domain/AD rather it should be member of destination domain.

Also if you see what is mentioned in the technet document Implementing the Automated Password Synchronization Solution - Step-by-Step, it says "user name of the MIIS 2003 service account"

Setspn.exe -a <user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

Thanks

Vadiraj

I must say I hate the notation way of your trust. Very confusing. I prefer the term: two-way OR specify in which direction the one-way trust is. Two remarks:

• IF PCNS is deployed in A AND FIM is in B, the B needs to trust A. That means that "a service", the PCNS, can talk Kerberos to the FIM Sync serivce
• the SPN should definately go on the account running the FIM Synchronizaton Service.

Good luck!

Kind regards,

Thomas

Hey Vadiraj,

Spell my name correctly.

Thanks,

Manuj Khurana

Hi Manuj,

  My sincere apologizes for the wrong spell.

Thanks

Vadiraj

Thanks everyone.

Issue got resolved.  Finally it found to be a DNS issue

regards

vadiraj