Hi all,

I'm trying to sync password from AD to AD LDS. And what I got about password sync as the link below

https://technet.microsoft.com/en-us/library/jj590288%28v=ws.10%29.aspx

In my LAB I have:

1. DC Server for domain A

2. ADLDS Server

3. FIM server join to domain X

For the LAB, I want to test sync DC user to AD LDS include password sync And I just completed AD user to AD LDS (without password sync)

Basically I understand that the step I need to do is:

1. Install PCNS on DC Server for domain A

2. SetSPN ???

3. Configure FIM

I do not really understand that SetSPN command I should to use here in that case, any can help me please ?

Thanks a lot !

Check this:

http://theidentityguy.blogspot.com/2013/09/password-synchronization-with-pcns.html

AD LDS behaves the same as AD.

SPN adds entry in Active Directory that specified service on specified machine (for example HTTP on Server1 or PCNS on ServerFIM) is using specified service account (Domain\WebsiteAccount or Domain\FIMSyncService).

To create such service principal name, use command SetSPN - for FIM Sync and PCNS. It would be:

setspn -S PCNSCLNT/ServerFIM.domain.com Domain\FIMSyncService

(-S switch ensures that you are not creating duplicate entry)

Later, when configuring PCNS on Domain Controller, use the same (bolded) SPN:

pcnscfg.exe ADDTARGET /N:FIMServer /A:ServerFIM.domain.com /S:PCNSCLNT/ServerFIM.domain.com /FI:"Domain Users" /FE:"Domain Admins" /f:3

More about SetSPN command and why it is used/needed:

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

Thank you all of you for your helps. It can see the password updated..

One more quick question that how can I sync password at the first time I sync user to other AD?

I am trying but haven't got any clues for this configuration.

Thanks a lot !

Hi Duc,

You cannot sync "current" password of users - PCNS (as it long name says) work only for password change and for reset. But you cannot send current password as you don't know it (there is only hashed version in AD).

Thanks a lot Dom,

You mean that we don't have any solution for that?

Because I see AD user on-premise and Office 365 user can sync "current" password so I thought we may have the same thing with FIM.

Look like it's a limitation and we cannot do it?

Hi Duc.

Considering AD and O365 - you have Active Directory here and in O365 also (Azure Active Directory), so DirSync can pass the hash into the cloud. Please refer to How Password Sync Works section. You would find out how DirSync update a password in the Cloud.

But we don't have such option in FIM - using FIM you can only use PCNS, so mechanics is different here. Here you can only use PCNS service that detects password change, checks if user should have it propagated and if so, sends a password to FIM Sync, which can set this password in connected directories.