Cross-forest PCNS issues

Hi,

We have 2 forests, ForestA and ForestB.

FIM is deployed in ForestA.

FIM is synchronising users from ForestB (via ForestB MA) to ForestA (via ForestA MA).

ForestA and ForestB are connected via a 2 way Kerberos Trust.

All firewalls have been disabled between the virtual machines.

In ForestB we have deployed PCNS and ran the following command: pcnscfg ADDTARGET /N:FIMServer /A:FIM01.forestA.com /S:PCNSCLNT:FIM01.forestA.com /FI:"Domain Users" /f:3

In ForestA we have registered the SPN as: setspn -A PCNSCLNT/FIM01.forestA.com ForestA\FIMSyncService

FIM is importing users from ForestB and successfully provisioning them in ForestA.

FIM is configured as follows:

  • FIM/Tools/Options/ Enable Password Synchronization is selected
  • ForestB MA is configured as the Password Synchronization source / with ForestA selected as the Target MA
  • ForestA MA / Configure Extensions / Enable Password Management is enabled

However, when a user changes their password in ForestB, event viewer on ForestB domain controller errors with:

Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be authenticated.

Additional Details:
 
Thread ID: 4300
Tracking ID: xxx...
User GUID: xxx...
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 60
Queued Notifications: 1
0x00000721 - A security package specific error occurred.
 
ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1461
Flags is 0
NumberOfParameters is 0

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 141
Flags is 0
NumberOfParameters is 1
Long val: -1073

ProcessID is 2100
System Time is: 4/7/2014
Generating component is 3
Status is -1073
Detection location is 140
Flags is 0
NumberOfParameters is 4
Long val: 16
Long val: 6
Unicode string: PCNSCLNT/FIM01.FORESTA.COM
Long val: 681

Any ideas?


  • Edited by Shim Kwan Wednesday, April 09, 2014 8:40 AM
April 7th, 2014 10:42am

Hi!

You need to register the SPN to the account thats running FIM Sync like this.

setspn.exe -S PCNSCLNT/FIMSyncServer.ForestA ForestA\<FIM Sync ServiceAccount>

You can check the SPN woth this command:

SETSPN -L FIMSyncService Service Account

Please Check this:

This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.

Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx#The_password_change_notification_target_could_not_be_authenticated

http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

/Robert


Free Windows Admin Tool Kit Click here and download it now
April 7th, 2014 4:44pm

Hi,

I have reviewed every single setting, and walked through your links. Nothing. I restarted the FIM Sync Server, and now get the following errors:

Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be contacted.
User Action:
The target server may not be running. Verify that the target server is running.
Additional Details:
Thread ID: 1264
Tracking ID: xxx...
User GUID: xxx...
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 123
Queued Notifications: 22
0x000006D9 - There are no more endpoints available from the endpoint mapper.
 
ProcessID is 1364
System Time is: 4/9/2014
Generating component is 2
Status is 1753 - There are no more endpoints available from the endpoint mapper.
Detection location is 501
Flags is 0
NumberOfParameters is 4
Unicode string: ncacn_ip_tcp
Unicode string: FIM01.FORESTA.COM
Long val: -647
Long val: 382

Additionally found this in System log...which might be the source of the problem?

A Kerberos error message was received:

 on logon session

 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN

 Extended Error: 0xc0000035 KLIN(0)

 Client Realm:

 Client Name:

 Server Realm: FORESTA.COM

 Server Name: PCNSCLNT/FIM01.FORESTA.COM

 Target Name: PCNSCLNT/FIM01.FORESTA.COM@FORESTA.COM

 Error Text:

 File: 9

 Line: 12be

 Error Data is in record data.



  • Edited by Shim Kwan Wednesday, April 09, 2014 8:39 AM
April 9th, 2014 6:21am

Could you show us your pcnscfg settings? Were there any errors when you added the target? 
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2014 9:06am

sure, here it is:

Targets
  Target Name...........: FIMServer
  Server FQDN or Address: FIM01.FORESTA.COM
  Service Principal Name: PCNSCLNT/FIM01.FORESTA.COM
  Authentication Service: Kerberos
  Inclusion Group Name..: FORESTB\Domain Users
  Exclusion Group Name..:
  Keep Alive Interval...: 0 seconds
  User Name Format......: 3
  Queue Warning Level...: 0
  Queue Warning Interval: 30 minutes
  Disabled..............: False

Not sure if I mentioned this, but all the Domain Controllers are Windows Server 2012.

FIM 2010 R2 build 4.1.3508.0 is running on Windows 2012 too.
April 9th, 2014 11:37am

Hi!

Most likely this is the same problem as in this thread http://social.technet.microsoft.com/Forums/en-US/d3746e05-ec6e-4886-8ac4-c40ebda36097/pcns-the-password-change-notification-target-could-not-be-authenticated?forum=ilm2

This might be more of a DC/DNS issue.

/Robert

Free Windows Admin Tool Kit Click here and download it now
April 9th, 2014 1:36pm

Unfortunately we could not get this resolved and are going to recreate the VMs from scratch.
April 14th, 2014 7:09am

VMs recreated. Followed the same PCNS deployment guide. Things are now working.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2014 12:59am

Hi!

Good to hear that.

/Robert

April 23rd, 2014 9:45am

thank you for everyone's help in the matter!
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2014 10:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics