none
Unable to establish PAM Trust RRS feed

  • Question

  • Hi,

    Busy working through https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests. 

    Just got to the part where I need to establish the PAM Trust - everything thus far has passed successfully.

    I log to PAMSrv as Domain Admin.

    this cmdlet works fine (credentials provided are for the Corp forest, as Admin)

    $ca = get-credential
    New-PAMTrust -SourceForest "contoso.local" -Credentials $ca


    This one however does not work (credentials provided are for the Corp forest, as Admin - same as above)

    $ca = get-credential
    New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca

    I am using the same credentials for both...why would it work for one cmdlet and not the other? Are the steps in the guide incorrect?


    • Edited by Shim Kwan Sunday, September 4, 2016 9:44 PM
    Friday, September 2, 2016 4:44 AM

Answers

All replies

  • Does anyone have another PAM deployment guide, that they know works?
    Friday, September 2, 2016 10:51 PM
  • Hi,

    Just wondering if anyone out there (from MS) is scanning these forums and can help out?

    We got a MS PAM POC to complete, and we cant get past this hiccup...

    Thanks in advance

    Wednesday, September 7, 2016 6:45 AM
  • Hi,

    IIRC, I had this problem when I installed the product under one admin account and then tried to perform the PS commands using a legitimately good domain admin account. Now that I think of it, I may have been working with a release before RTM -- not sure, it was a blurry time.

    Anyway, run:

    Test-PAMTrust -SourceForest "contoso.local" -credentials $ca   #should report True

    Test-PAMDomainConfiguration -SourceDomain "contoso" -credentials $ca #should report SID history is enabled, SID filterering is off and CONTOSO$$$ group exists.

    If that is OK then you can continue. Fix SID history, SID filtering, if it doesn't return correct values.

    You should then be able to continue with the setup... grant AD read permissions to CONTOSO users and groups to the PRIV administrators and monitoring service, then setup your pam group, pam user, etc.

    If you are still stuck, consider patching up to the latest release of MIM.  In one situation, a patch fixed a PAM problem we were hitting.

    Lastly, we walk through the full install and configuration of PAM in the MIM 2016 Handbook.

    Best,

    Jeff Ingalls

    Friday, September 9, 2016 2:02 AM
  • Hi,

    Have patched MIM to Build 4.3.2266.0: KB3171342.

    I am able to successfully execute the following commands (as taken from the PAM FAQ http://tinyurl.com/jyubrc7)

    netdom trust corp.com /domain:priv.local /userO:CORP\administrator /passwordo:password_here /add

    netdom trust corp.com /domain:priv.local /EnableSIDHistory yes /userO:CORP\administrator /passwordO:password_here

    netdom trust corp.com /domain:priv.local /Quarantine no /userO:CORP\administrator /passwordO:password_here

    I had to run these as neither the 'New-PAMTrust' nor the 'New-PAMDomainConfiguration' cmdlets work - they both fail with 'the specified forest/domain does not exist or cannot be contacted'. 

    Running 'netdom' manually works.

    Establishing the domain trust using 'AD Domains and Trusts' also works. Just the PAM cmdlets fail.

    Even though netdom commands work, the 'Test-PAMTrust' and 'Test-PAMDomainConfiguration' cmdlets still fail.

    I was able to complete part of the PAM lab.

    - I was able to browse to "\\corpwkstn\corpfs" as Jen

    - I was NOT able to open "http://pamsrv.priv.contoso.local:8090" - and got a '403 - Forbidden: Access is denied' message for Jen.

    What the Microsoft lab is missing, however, is how MIM fits into the picture - how do people use the MIM Portal for PAM scenarios?

    Look forward to hearing from anyone around this topic.

    Thank you

    Monday, September 12, 2016 4:33 AM
  • MIM Portal would be used for the administration of PAM. End users would perform PAM functionality via PowerShell or a custom application. There is a sample demo of a custom PAM portal you can download at http://bit.ly/CustomPAMPortal.  See also MIM PAM FAQ.

    Best,

    Jeff Ingalls

    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 2:37 AM
    Wednesday, September 14, 2016 2:13 AM
  • Thanks Jeff, and in order for an end user to access and use the Sample PAM Portal, I assume they will just need a browser and do not need the PAM cmdlets deployed on their workstation?
    Thursday, September 15, 2016 3:32 AM
  • Correct.  You can use PowerShell cmdlets or implement a PAM Portal like the sample download.

    Best,

    Jeff Ingalls

    Saturday, September 17, 2016 1:52 AM
  • excellent, thank you
    Tuesday, September 20, 2016 2:37 AM