PCNSSVC 'Access Denied' error message RRS feed

  • Question

  • Hi all,

    One of my customers is evaluating MIIS and we're trying the following password synchronization scenario:

    DC1 (in domain A, forest A) sends password change notifications to target DC2 (in domain B, forest B). MIIS is installed in forest B and we've already established a two-way trust between the two domains.

    1- For PCNS to work in this scenario, do we need to setspn in domain A? For  what account?

     (We have only established SPN for the MIIS service account on domain B)

    2 - On domain A, what is the most appropriate service account for the PCNSSVC service? And what are the required privileges for this account (a) on the source domain (b) on the target domain and (c) on the target MIIS server.

    Right now, with maximum logging, the PCNS service is recording an Access Denied error message that I suspect could be related with Kerberos auth.   

    Event Type: Error

    Event Source: PCNSSVC

    Event Category: Error

    Event ID: 6025


    Password Change Notification Service received an RPC exception

    attempting to deliver a notification. 


    0x00000005 - Access is denied.



    Wednesday, January 17, 2007 8:28 PM


  • The trust required for this to work is a 2-way Forest trust. This implies that both forest must be running at Forest Function level 2003.

    The SPN is set on the MIIS service account in Domain B.

    You do not set the PCNSSVC service account, it is designed to run as the Local System account on the DC. As Local System, it has all of the privileges it needs.

    Failure to authenticate between the two domains will result in the error you are seeing. You can search MSDN for tips on troubleshooting Kerberos auth across domain.

    Friday, January 19, 2007 5:58 PM