Hi everyone, I am having an issue getting PCNS up and running across two domains.
The specific error is: The password change notification target could not be authenticated.
User Action: This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.
I have reviewed above error in this forum but have not found a solution as yet. I believe it is an incorrect SPN or forest level trust, I have doubled checked everything against the PCNS documentation and as far as we can tell it is correct.
Our set up is as follows:
Domain A - Windows 2008 R2 - PCNS installed on all DCs
Domain B - Windows 2008 R2- PCNS DISABLED on all DCs
When PCNS start it shows correctly that it is queuing requests as expected
FIM 2010 Synch Server is in Domain B
Outgoing Domain A trust to Domain B - Forest, Transitive =Yes
Ingoing Domain A trust to Domain B- Forest, Transitive =Yes
FIM Server (service running under domainB\FIMService)
- Tools Options"Enable Password Synch" checked
- Domain A MA -enabled a password source, domain B MA selected as target
- Domain B MA - enable password management selected
PCNS config in Domain A:
pcnscfg ADDTARGET /N:sso-fed-app2 /A:sso-fed-app2.bpo-shared-fim.ad.hp1.com /S:PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com /FI:"Domain Users" /FE:"Domain Admins" /F:1 /I:600 /D:False /WL:20 /WI:60
Targets
Target Name...........: SSO-FED-APP2
Target GUID...........: 10A7BDA1-873A-4DCC-AFCD-5C7941990684
Server FQDN or Address: sso-fed-app2.bpo-shared-fim.ad.hp1.com
Service Principal Name: PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com
Authentication Service: Kerberos
Inclusion Group Name..: CORP\Domain Users
Exclusion Group Name..: CORP\Domain Admins
Keep Alive Interval...: 600 seconds
User Name Format......: 1
Queue Warning Level...: 20
Queue Warning Interval: 60 minutes
Disabled..............: False
On Domain B i have set
Setspn.exe -A PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com bpo-shared-fim\FIMService
Any help on this would be GREATLY appreciated
thanks, Vadiraj