none
Password Sync from AD to AD LDS using FIM 2010 R2 RRS feed

  • Question

  • Hi all,

    I'm trying to sync password from AD to AD LDS. And what I got about password sync as the link below

    https://technet.microsoft.com/en-us/library/jj590288%28v=ws.10%29.aspx

    In my LAB I have:

    1. DC Server for domain A

    2. ADLDS Server

    3. FIM server join to domain X

    For the LAB, I want to test sync DC user to AD LDS include password sync And I just completed AD user to AD LDS (without password sync)

    Basically I understand that the step I need to do is:

    1. Install PCNS on DC Server for domain A

    2. SetSPN ???

    3. Configure FIM

    I do not really understand that SetSPN command I should to use here in that case, any can help me please ?

    Thanks a lot !

    Friday, April 10, 2015 10:43 AM

Answers

  • SPN adds entry in Active Directory that specified service on specified machine (for example HTTP on Server1 or PCNS on ServerFIM) is using specified service account (Domain\WebsiteAccount or Domain\FIMSyncService).

    To create such service principal name, use command SetSPN - for FIM Sync and PCNS. It would be:

    setspn -S PCNSCLNT/ServerFIM.domain.com Domain\FIMSyncService

    (-S switch ensures that you are not creating duplicate entry)

    Later, when configuring PCNS on Domain Controller, use the same (bolded) SPN:

    pcnscfg.exe ADDTARGET /N:FIMServer /A:ServerFIM.domain.com /S:PCNSCLNT/ServerFIM.domain.com /FI:"Domain Users" /FE:"Domain Admins" /f:3

    More about SetSPN command and why it is used/needed:

    Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by Peter_Stapf Saturday, April 11, 2015 10:39 AM
    • Marked as answer by Kzb Monday, April 13, 2015 12:23 AM
    Saturday, April 11, 2015 9:16 AM
  • Hi Duc.

    Considering AD and O365 - you have Active Directory here and in O365 also (Azure Active Directory), so DirSync can pass the hash into the cloud. Please refer to How Password Sync Works section. You would find out how DirSync update a password in the Cloud.

    But we don't have such option in FIM - using FIM you can only use PCNS, so mechanics is different here. Here you can only use PCNS service that detects password change, checks if user should have it propagated and if so, sends a password to FIM Sync, which can set this password in connected directories.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Kzb Monday, April 13, 2015 8:13 AM
    Monday, April 13, 2015 8:11 AM

All replies

  • Check this:

    http://theidentityguy.blogspot.com/2013/09/password-synchronization-with-pcns.html


    AD LDS behaves the same as AD.


    Nosh Mernacaj, Identity Management Specialist

    Friday, April 10, 2015 1:02 PM
  • SPN adds entry in Active Directory that specified service on specified machine (for example HTTP on Server1 or PCNS on ServerFIM) is using specified service account (Domain\WebsiteAccount or Domain\FIMSyncService).

    To create such service principal name, use command SetSPN - for FIM Sync and PCNS. It would be:

    setspn -S PCNSCLNT/ServerFIM.domain.com Domain\FIMSyncService

    (-S switch ensures that you are not creating duplicate entry)

    Later, when configuring PCNS on Domain Controller, use the same (bolded) SPN:

    pcnscfg.exe ADDTARGET /N:FIMServer /A:ServerFIM.domain.com /S:PCNSCLNT/ServerFIM.domain.com /FI:"Domain Users" /FE:"Domain Admins" /f:3

    More about SetSPN command and why it is used/needed:

    Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by Peter_Stapf Saturday, April 11, 2015 10:39 AM
    • Marked as answer by Kzb Monday, April 13, 2015 12:23 AM
    Saturday, April 11, 2015 9:16 AM
  • Thank you all of you for your helps. It can see the password updated..

    One more quick question that how can I sync password at the first time I sync user to other AD?

    I am trying but haven't got any clues for this configuration.

    Thanks a lot !

    Sunday, April 12, 2015 5:25 PM
  • Hi Duc,

    You cannot sync "current" password of users - PCNS (as it long name says) work only for password change and for reset. But you cannot send current password as you don't know it (there is only hashed version in AD).


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Friday, April 17, 2015 10:11 AM
    Sunday, April 12, 2015 7:54 PM
  • Thanks a lot Dom,

    You mean that we don't have any solution for that?

    Because I see AD user on-premise and Office 365 user can sync "current" password so I thought we may have the same thing with FIM.

    Look like it's a limitation and we cannot do it?

    Monday, April 13, 2015 12:23 AM
  • Hi Duc.

    Considering AD and O365 - you have Active Directory here and in O365 also (Azure Active Directory), so DirSync can pass the hash into the cloud. Please refer to How Password Sync Works section. You would find out how DirSync update a password in the Cloud.

    But we don't have such option in FIM - using FIM you can only use PCNS, so mechanics is different here. Here you can only use PCNS service that detects password change, checks if user should have it propagated and if so, sends a password to FIM Sync, which can set this password in connected directories.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Kzb Monday, April 13, 2015 8:13 AM
    Monday, April 13, 2015 8:11 AM