PCNS and FIM 2010 RRS feed

  • General discussion

  • So I am working to deploy/test PCNS in our FIM 2010 deployment, where the source domain for PW's is in one domain/forest, and its trying to send to FIM MA in another domain, untrusted and not part of the forest.  i'm getting errors from PCNS where it cannot reach the destination/target via RPC --- dns is inplace and happy.


    i set the custom SPN per   -- in the source domain where PCNS is installed, do i need to place it in the destination domain as well?  or is the lack of a trust goign to break the ability to use PCNS.

    Wednesday, November 2, 2011 8:48 PM

All replies

  • I'm pretty sure there has to be a trust between the PCNS forest and the FIM forest. I guess you've see this list of PCNS reources?
    Wednesday, November 2, 2011 9:01 PM
  • Carol,

         That sure seems to be the case, but i can't find anywhere that it actually states that requirement...  any help there? 

    Thursday, November 3, 2011 1:35 PM
  • The setup of PCNS requires configuration of service principal names (SPNs), which are used in Kerberos authentication.  I don't know that you could have Kerberos authentication without a trust in place.

    Ah, there we go...

    Forest Trusts

    Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.


    Where PCNS is concerned, you can substitute FIM for MIIS or ILM in almost any online documentation you find.


    Friday, November 4, 2011 4:20 AM