none
Password Sync Problem after applying Patch 4.1.3613.0 RRS feed

  • Question

  • We are having a password sync problem after putting on hotfix 4.1.3613.0  (http://support.microsoft.com/kb/3011057 ). Originally we were on 4.1.3441.0.  We put on 2 patches to bring us to the latest patch.  Patch 4.1.3510.0 then 4.1.3613

    Structure of AD is

    company.com Forest

                    d1.company.com Domains

                    D2.company.com Domains

    FIM Sync is in d1.company.com

    All the accounts from d1.company.com are syncing. The accounts from d2.company.com are failing.

    We receive the error 6914 The connection from a password notification source failed because it is not a Domain Controller service account.

    In the notes on the hotfix

    Issues that are fixed or features that are added in this update

    This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

    Password Change Notification Service (PCNS)

    Issue 1

    The following error message is logged:

    6914 The connection from a password notification source failed because it is not a Domain Controller service account.


    After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID

    Error in FIM SYNC

    6914 error

    The connection from a password notification source failed because it is not a Domain Controller service account.

    Domain: d2.company.com

    Server: x.x.x.x

    6915 error

    An error has occurred during authentication to the password notification source.

     "ERR_: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11691): gethostbyaddr failed with 0x2afc

    BAIL: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11693): 0x80004005 (Unspecified error)

    BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(316): 0x80070534 (No mapping between account names and security IDs was done.): Win32 API failure: 1332

    BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(570): 0x80070534 (No mapping between account names and security IDs was done.)

    Forefront Identity Manager 4.1.3613.0"

    The error we are getting when a user from d2.company.com tries a sync

    ERROR IN PCNS

    Log Name:      Application
    Source:        PCNSSVC
    Date:          3/10/2015 9:19:08 AM
    Event ID:      6025
    Task Category: (4)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:     
    box.d2.company.com
    Description:
    Password Change Notification Service received an RPC exception attempting to deliver a notification.  
    Thread ID: 3704 
    Tracking ID: 19657b31-4547-4f18-94c3-e85adc1d0700 
    User GUID: 99de63a6-9e09-4906-9515-bb4ba0a2c5d6 
    User:
    LOCB\user 
    Target: FIMProd1 
    Delivery Attempts: 1135 
    Queued Notifications: 1 
    0x00000005 - Access is denied.

    LOCB netbios resolves to d2.company.com

    LOCA netbios resolves to d1.company.com

    C:\>setspn -l LOCA\_FIMSyncService

    Registered ServicePrincipalNames for CN=_FIMSyncService,OU=Sec,OU=SA,OU=Resource

     Management,DC=d1,DC=company,DC=com:

            PCNSCLNT/fim2

            PCNSCLNT/fim2.d1.company.com

            PCNSCLNT/fim1

            PCNSCLNT/fim1.d1.company.com

    --------------------------------------------------------------------------------------

    C:\Program Files\Microsoft Password Change Notification>pcnscfg list

    Service Configuration

      MaxQueueLength........: 0

      MaxQueueAge...........: 345600 seconds

      MaxNotificationRetries: 0

      RetryInterval.........: 60 seconds

    Targets

      Target Name...........: FIMProd1

      Target GUID...........: 4C72BA98-8414-476B-80BF-6D9045EFCF39

      Server FQDN or Address: fim1.d1.company.com

      Service Principal Name: PCNSCLNT/fim1.d1.company.com

      Authentication Service: Kerberos

      Inclusion Group Name..: LOCB\Domain Users

      Exclusion Group Name..:

      Keep Alive Interval...: 0 seconds

      User Name Format......: 3

      Queue Warning Level...: 0

      Queue Warning Interval: 30 minutes

      Disabled..............: False

    Total targets: 1

    The password sync has been working for years now this is throwing this error.  Does anyone have clues to the problem with the Hotfix?

    We have looked at trying to resolve 6025 errors using http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx but there are no issues here.


    • Edited by Robin Lilly Tuesday, March 10, 2015 7:18 PM
    Tuesday, March 10, 2015 7:05 PM

All replies

  • Spent morning on phone with Microsoft Support. Apparantly patch 4.1.3627.0 and 4.1.3613.0 both introduce this bug.  Microsoft is aware of it and is working on a fix. NO ETA. DONT PUT THESE PATCHES ON YOUR BOX. Unless you want a major headache.

    We are dead in the water and backing off the FIM SYnc is probably not an option. This has been given as our alternatives. Microsoft's reply: 

      •          The issue you are facing with the PCNS is already reported as a known issue with build 4.1.3613.0
      •          The Product group is working on this issue and expected to be fixed this in the next hotfix.
      •          Right now we don’t have an ETA on the release of next hotfix.

      •          To work around this issue,
      1.       Revert the FIM to the previous build.
      2.       Wait till the next hotfix is released.

    We would have never put this patch on if the Patch said it introduces these new problems.


    • Edited by Robin Lilly Wednesday, March 11, 2015 6:17 PM
    Wednesday, March 11, 2015 6:16 PM
  • Microsoft has a patch for this now so just call Premier Support or wait another week and it should be released.  The new patch fixed my issue.
    Wednesday, April 29, 2015 4:59 PM
  • Microsoft has a patch for this now so just call Premier Support or wait another week and it should be released.  The new patch fixed my issue.

    http://social.technet.microsoft.com/wiki/contents/articles/13394.microsoft-identity-software-public-release-build-versions.aspx#FIMR2

    Released today:

    http://support.microsoft.com/kb/3048056


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, April 30, 2015 7:51 PM
  • Robin,

    While the error messages listed in https://support.microsoft.com/en-us/kb/3048056 don't line up exactly with what you are seeing the new hotfix might be worth a shot (as Dominik suggests) or if possible reverting to your old build.

    Dave W: Did your errors line up with Robin's or the KB's?


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Friday, May 1, 2015 3:17 PM