none
FIM - Password change notification target could not be authenticated. RRS feed

  • Question

  • Hi Team,

    I know that this issue has been reported a few times but none of them helped me resolve the problem. Please let me know if I missed anything.

    I have cross domain and forest structure. Domain A and Domain B (both with single DC and in separate forest). FIM is installed in Domain B. Domain A is the source for password changes.

    Followed below steps to setup PNCS, referred http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

    1. Installed PCNS on Domain A.
    2. Enabled the verbose logging on FIM sync in Domain B and AD in Domain A.
    3. Ensured the clock is in Sync on all the servers
    4. Name resolution is working fine from Domain A to B and vise varsa.
    5. There is no firewall between the severs.
    6. Account used in Target MA has account operators + reset password rights
    7. PCNScfg list shows following result.
    Targets
      Target Name...........: fim-labmachine
      Target GUID...........: 3BA26260-4537-4B84-BAD3-B045F6SDERAD
      Server FQDN or Address: fim-labmachine.b.com
      Service Principal Name: PCNSCLNT/fim-labmachine.B.com
      Authentication Service: Kerberos
      Inclusion Group Name..: B\Domain Users
      Exclusion Group Name..: B\Domain Admins
      Keep Alive Interval...: 600 seconds
      User Name Format......: 1
      Queue Warning Level...: 20
      Queue Warning Interval: 60 minutes
      Disabled..............: False

    8. SETSPN -L for FIM Sync service account gives following result.
            PCNSCLNT/fim-labmachine.goglab.com
    9. Password synchronization is enabled in FIMSync
    10. Ensured that there is no duplicate SPNs
    10. Password source sync is enabled on source ad destination as per figure in above mentioned article.
    11. Though I don't think it was necessary but I have created one way external trust where Domain B trusts accounts from Domain A. It's validated and working fine.
    12. Also increased the "KdcWaitTime" to 60 seconds
    13. Forest and Domain functional level for both the domains is same.
    14. PCNS is installed only in Source AD

    Error:
    Password Change Notification Service received an RPC exception attempting to deliver a notification. 
    The password change notification target could not be authenticated.
    .
    .
    0x00000721 - A security package specific error occurred.
    .
    .
    Status is -2146893053 - The specified target is unknown or unreachable.

    Tuesday, May 13, 2014 5:05 AM

Answers