none
Password Syncronization RRS feed

  • Question

  • I am trying to configure password syncronization for my organization. We have two domains research and hospital. Each domain contains user accounts and admin accounts that join in the FIM metaverse, they do not join cross domain. We have successfully implemented password syncronization for the Hospital domain but cannot seem to get it working for the research domain. My question is for the SPN on PCSN would we need seperate SPNs on each domain even is the SPN we are using on the hospital domain is registered Forest-wide?

    Thursday, March 13, 2014 5:27 PM

Answers

  • I agree with this. There's no problem doing what you're trying to do. And no, you don't need two SPNs, you can have one SPN configured and point the PCNS service from both domains at that SPN and I haven't seen any problems with doing that.

    Someone mentioned Bi-Directional can't be done as well. It's not officially supported, I believe, but it can be done: Link.


    Thursday, March 27, 2014 10:01 PM

All replies

  • We have successfully implemented password syncronization for the Hospital domain but cannot seem to get it working for the research domain.

    So you have got PCNS working from Hospital -> Research and now you are trying to configure it for Research -> Hospital? If this is the case, bi-directional password sync isn't supported as it can cause an infinite loop of password resets. It would be better to revise your requirements in this case. 

    You only need to set your SPN's in the domain hosting FIM. 

    If need be you can turn on event logging by adding some keys to the registry as per: http://social.technet.microsoft.com/wiki/contents/articles/3782.pcns-logging.aspx

    Friday, March 14, 2014 12:09 AM
  • We have password syncronization working between (Hospital user account) -> (Hospital Admin account). I need to configure (Research user accounts) -> (Research admin accounts). We have a hospital MA and a hospital admin MA provisioning/joining accounts, same with research domain.

    In our dev environment I created a research admin account for myself and joined it to my FIM object. I reset my hospital password and it was pushed to both my joined Hospital and Research admin accounts. That said if I reset my research account password I don't think the change notification is being sent because it is not pushed to the linked admin account.

    Friday, March 14, 2014 11:21 AM

  • I'm assuming that the FIM Sync Server is sitting within the hospital domain as well since password sync is working. If the password source (Research) is in a separate forest to the Sync Server you'll need a two way forest trust to get this working. (can be done with one way: http://theidentityguy.blogspot.com.au/2013/09/password-synchronization-with-pcns.html)

    Did you run through pcnscfg in the research domain and add the sync service as a target? (You may have seen some errors here if it couldn't find the SPN) 

    But i'm still doing alot of guessing. Perhaps you can expand on your environment and what you've done so far to get this working. 


    Monday, March 17, 2014 1:30 AM
  • We have a forest root domain with two child domains, Hospital and Research. PCNS is configured on both of the domains see below for configuration. The Address and SPN are the same for research and hosptial, the address being the server name that the FIM sync manager is installed on. The SPN is registered forest-wide as well. 

    Default Service Configuration
     MaxQueueLength.......: 0
     MaxQueueAge...........: 259200 seconds
     MaxNotificationRetries: 0
     RetryIntervals...........: 60 seconds

    Targets
     TargetName..................: PCNSCRI
     Target GUID.................: C059B032-B0C8-185D-BED8-9B139344CBD1
     Server FQDN or Address:
     Service Principal Name..:
     Authentication Service...: Kerberos
     Inclusion Group Name...: DEVRESEARCH\Domain Users
     Exclusion Group Name..:
     Keep Alive Interval.......: 0 seconds
     User Name Format.......: 3
     Queue Warning Level....: 0
     Queue Warning Interval: 30 minutes
     Disabled.....................: False

    ------------------------------------------------------------------------------

    Default Service Configuration
     MaxQueueLength.......: 0
     MaxQueueAge...........: 259200 seconds
     MaxNotificationRetries: 0
     RetryIntervals...........: 60 seconds

    Targets
     TargetName.................: PCNSCHI
     Target GUID................: F603F2F8-0241-4033-B21B-35AC00B56FA8
     Server FQDN or Address:
     Service Principal Name..:
     Authentication Service...: Kerberos
     Inclusion Group Name...: DEVHospital\Domain Users
     Exclusion Group Name..:
     Keep Alive Interval.......: 0 seconds
     User Name Format.......: 3
     Queue Warning Level...: 0
     Queue Warning Interval: 30 minutes
     Disabled.....................: False


    Tuesday, March 25, 2014 12:27 PM
  • On Fri, 14 Mar 2014 11:21:07 +0000, Donald.Ferguson wrote:

    In our dev environment I created a research admin account for myself and joined it to my FIM object. I reset my hospital password and it was pushed to both my joined Hospital and Research admin accounts. That said if I reset my research account password I don't think the change notification is being sent because it is not pushed to the linked admin account.

    As with Cameron I'm still a little confused as to what the goal is here.
    With PCNS you can only have a single source for password resets. So if your
    goal is:

    1. Single person.
    2. Normal user account in Hospital domain.
    3. Admin user account in Hospital domain.
    4. Normal user account in Research domain.
    5. Admin user account in research domain.

    If you want the ability to change the password for either 2, 3, 4, or 5 and
    have it synched to the other 3 accounts (IOW change the password on any
    of your 4 accounts and have it synched to the other 3) that simply isn't
    possible as that means you've got more than one source.


    Paul Adare - FIM CM MVP
    [Seedless consumer fruits] really have imaginary seed. If you rotate a
    seedless fruit 90°, you get a fruitless seed. This can provide hours of
    fun.
    -- Erik Naggum

    Tuesday, March 25, 2014 1:00 PM
  • Hello Paul,

    Sorry for the confusion, in our environment you either work for the hospital or research.

    What I am trying to accomplish is hospital account passwords sync with the hospital admin accounts. Research accounts sync with the research admin accounts.

    We would never have a scenario where a hospital user's password would sync with anything research. I mentioned that I have created and joined my account to a research admin account, this was only to make sure I had everything configured in the sync service manager correctly.<o:p></o:p>

    Since that test was successful, it lead me to believe that when a research user resets their password we are not receiving the change notification, because the password
    does not sync to its research admin account.



    Wednesday, March 26, 2014 11:43 AM
  • On Wed, 26 Mar 2014 11:43:22 +0000, Donald.Ferguson wrote:

    What I am trying to accomplish is hospital account passwords sync with the hospital admin accounts. Research accounts sync with the research admin accounts. <o:p></o:p>

    We would never have a scenario where a hospital user's password would sync with anything research. I mentioned that I have created and joined my account to a research admin account, this was only to make sure I had everything configured in the sync service manager correctly.<o:p></o:p>

    Since that test was successful, it lead me to believe that when a research user resets their password we are not receiving the change notification, because the password
    does not sync to its research admin account.<o:p></o:p>

    Ok, now I see what you're trying to do, and while I dabble in FIM, I'm not
    an expert (I specialize in FIM CM) but I don't think that you're going to
    be able to do what you want to do with a single instance of FIM. PCNS is
    designed to have a single authoritative source for passwords and while I
    know that from your perspective you think you do Hospital=>Hospital and
    Research=>Research, from my perspective you're really configuring 2 primary
    sources. I can't think of any way to scope the synch down to
    Hospital=>Hospital and Research=>Research.

    Hopefully someone with more experience than I have can give you a
    definitive answer now that your requirement is a little more clear.


    Paul Adare - FIM CM MVP
    "One Code to rule them all, one Code to bind them
    In the land of Redmond where the Shadows lie." -- Joe Thompson

    Wednesday, March 26, 2014 11:55 AM
  • You can work with multiple primary sources in PCNS, this works fine. I would suggest enabling PCNS logging and tracking down what's actually happening. http://social.technet.microsoft.com/wiki/contents/articles/3782.pcns-logging.aspx

    In the past i've always added multiple SPN's for each source, but I don't know if that's actually necessary. After you've enabled verbose logging follow these steps:

    • Reset user password 
    • Check event log on the DC to make sure PCNS delivered the password to FIM
    • Check event log on the FIM box, make sure the password was delivered to all targets

    If any errors occur along the way this should give you some more information about where it's actually failing. My only real concern is delivering password changes back to the same domain. Even though it through a separate MA PCNS will still capture the password set for the admin account and send it to FIM. (FIM should just ignore this, but still worth testing)  

    Thursday, March 27, 2014 1:07 AM
  • Great conversation here. If anybody has any good solutions, please write them up as a Wiki article: http://social.technet.microsoft.com/wiki/contents/articles/23330.technet-guru-contributions-for-march.aspx

    Thanks!


    Ed Price, Power BI & SQL Server Customer Program Manager (Blog, Small Basic, Wiki Ninjas, Wiki)

    Answer an interesting question? Create a wiki article about it!

    Thursday, March 27, 2014 2:28 AM
    Moderator
  • I agree with this. There's no problem doing what you're trying to do. And no, you don't need two SPNs, you can have one SPN configured and point the PCNS service from both domains at that SPN and I haven't seen any problems with doing that.

    Someone mentioned Bi-Directional can't be done as well. It's not officially supported, I believe, but it can be done: Link.


    Thursday, March 27, 2014 10:01 PM