none
One way Password sync from forest A to forest B RRS feed

  • Question

  • Hi

    I have a requirement for one way password sync from forest A to forest B

    • FIM installed on Forest A (source)
    • installed PCNS on forest A(all source DC),

    Ihave two ADMA connector:

    • ADMA SOURCE (connected to forest A)
    • ADMA TARGET (connected to forest B)

    query:

    • service account:do i need to use dedicated service account for this or shall i use fimservice?
    • On which ADMA agent to enable password managment.
    • for which account SPN to set

    how to achieve one way password sync?

    Regard

    Ragav

    Thursday, December 13, 2012 7:23 AM

Answers

  • Ragav,

    I would recommend reviewing the Implementing the Automated Password Synchronization Solution Step by Step documentation, which could be found on the PCNS-Password Synchronization Resource Wiki

    Outside of that, in reference to your query:

    SPN

    To configure the SPN using Setspn.exe

    • At a command-line prompt, type the commands shown by the following syntax:

      Setspn.exe -a <user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

      For example:

      Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

      The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.

    To configure PCNS using Pcnscfg.exe

    • At a command-line prompt, type the commands shown by the following syntax:

      Pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running MIIS 2003> /a:<fully-qualified domain name of the server running MIIS 2003> /s:<the SPN for the MIIS 2003 server> /fi:<the specified inclusion group> /f:3

      For example:

      Pcnscfg.exe addtarget /n:miisdemo /a:fab-dev-01.usergroup.fabrikam.com /s:PCNSCLNT/fab-dev-01.usergroup.fabrikam.com /fi:Domain Users/f:3

    Hope that helps!

    Tim


    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Thursday, December 13, 2012 11:28 AM
  • MIISSERVACCOUNT = FIM Synchronization Service Account

    You can detect what this account is, by going to the machine running the FIM Synchronization Service Engine, and reviewing Services ( Administrative Tools > Services ) for the Forefront Identity Manager Synchronization Service. 

    In order for the PCNS - Password Synchronization to work, the FIM Synchronization Service Account should be a domain account.

    Setspn.exe -a PCNSCLNT/<FIM Synchronization Service Engine Machine Name>.usergroup.fabrikam.com  <Domain>\<FIM Synchronization Service Account>

    The PCNSCFG (PCNS Configuration) should be against information for the FIM Synchronization Service Engine machine, and FIM Synchronization Service Account. 

    Pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running FIM Synchronization Service Engine>/a:<fully-qualified domain name of the server running FIM Synchronization Service Engine>/s:<the SPN for the FIM Synchronization Service Account (this should match exactly to the SPN set)> /fi:<the specified inclusion group> /f:3

    I hope that this helps.


    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Friday, December 14, 2012 11:30 AM

All replies

  • Ragav,

    I would recommend reviewing the Implementing the Automated Password Synchronization Solution Step by Step documentation, which could be found on the PCNS-Password Synchronization Resource Wiki

    Outside of that, in reference to your query:

    SPN

    To configure the SPN using Setspn.exe

    • At a command-line prompt, type the commands shown by the following syntax:

      Setspn.exe -a <user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

      For example:

      Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

      The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.

    To configure PCNS using Pcnscfg.exe

    • At a command-line prompt, type the commands shown by the following syntax:

      Pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running MIIS 2003> /a:<fully-qualified domain name of the server running MIIS 2003> /s:<the SPN for the MIIS 2003 server> /fi:<the specified inclusion group> /f:3

      For example:

      Pcnscfg.exe addtarget /n:miisdemo /a:fab-dev-01.usergroup.fabrikam.com /s:PCNSCLNT/fab-dev-01.usergroup.fabrikam.com /fi:Domain Users/f:3

    Hope that helps!

    Tim


    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Thursday, December 13, 2012 11:28 AM
  • Hey Tim, that right i have gone through the doc

    still have confusion for the below command

    Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

    "fab-dev-01\MIISServAccount" is it local account or domain account?

    there is not SPN set for fimservice domain account which is running portal and service, can this account be used as MIISservaccount?

    Friday, December 14, 2012 6:24 AM
  • Hi Tim,

    Am able to set SPN for fimservice by running this command "Setspn.exe -a PCNSCLNT/<FIMserver.FQDN> domain\fimservice"

    But cannot add target, getting error adding target , error code error code 0X80070057 - the parameter is incorrect, after running below command

    Pcnscfg.exe addtarget /n:FIM /a:FIMserver.FQDN /s: PCNSCLNT/FIMserver.FQDN /fi:“Domain Users” /f:3

    Please suggest



    Friday, December 14, 2012 7:29 AM
  • MIISSERVACCOUNT = FIM Synchronization Service Account

    You can detect what this account is, by going to the machine running the FIM Synchronization Service Engine, and reviewing Services ( Administrative Tools > Services ) for the Forefront Identity Manager Synchronization Service. 

    In order for the PCNS - Password Synchronization to work, the FIM Synchronization Service Account should be a domain account.

    Setspn.exe -a PCNSCLNT/<FIM Synchronization Service Engine Machine Name>.usergroup.fabrikam.com  <Domain>\<FIM Synchronization Service Account>

    The PCNSCFG (PCNS Configuration) should be against information for the FIM Synchronization Service Engine machine, and FIM Synchronization Service Account. 

    Pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running FIM Synchronization Service Engine>/a:<fully-qualified domain name of the server running FIM Synchronization Service Engine>/s:<the SPN for the FIM Synchronization Service Account (this should match exactly to the SPN set)> /fi:<the specified inclusion group> /f:3

    I hope that this helps.


    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Friday, December 14, 2012 11:30 AM
  • In my case its fimsync is the service account for sync engine machine, so i want to update SPN for this account rather fimservice

    And also ,if i reset password from 3rd party application will PCNS capture that or i have to change password from windows logon only?

    Monday, December 17, 2012 7:14 AM
  • Yes.  fimsync would be the account you set the SPN.

    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Monday, December 17, 2012 10:45 AM
  • Hey tim , thanks ,will update SPN and let you know

    And also will PCNS capture force password reset if reset is done directly in AD?

    Tuesday, December 18, 2012 4:37 AM
  • Yes.

    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Tuesday, December 18, 2012 7:45 PM