none
SETSPN Issue in PCNS COnfiguration RRS feed

  • Question

  • Hello Everyone,

    Now a days i am working on a project in which i need to deploy FIM Password Notification Service for synchronization the passwords between two forests and i facing some issues in it also need to clear one more this that both forests communication is running on natted network.

    Please see the below error.

    Windows PowerShell
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    PS C:\Users\Tra.Admin> Setspn.exe -A PCNSCLNT/mey-gfip03.sgi.fednet.intra fednet\fimsyncservice
    Checking domain DC=GOV,DC=Local

    Failed to bind to DC of domain FEDNET, error 0x6ba/1722 -> The RPC server is unavailable.

    PS C:\Users\Tra.Admin>

    I will be highly thankful if anyone can reply me on urgent basis.

    Regards,

    Shakeel Shahid

    Tuesday, December 22, 2015 8:31 PM

All replies

  • This is a PURE AD issue.  Either the windows service "rpc" is disabled or you don't have the right permissions to that Domain. 

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, December 22, 2015 9:23 PM
  • Shakeel

    You used command to set SPN for account in one domain and it looks like it is searching for that account in another. I would look at DNS to start with. Also, are you running this command in domain where the fimsyncservice lives? Based on what I see above, I'm thinking no. Maybe just run this command from domain controller in FEDNET environment.

    Wednesday, December 23, 2015 1:52 AM
  • Sir,

    Basically I have a three AD forest which is connected to FIM and one of my AD forest is properly connected to FIM and PCNS is working fine now i am connecting another AD forest also i am successfully able to import the users and groups from the same Source AD and export it to fednet AD. Now the isssue is i need to sync the passwords with that source and for this i am facing this issue.

    If you want then i can show you this isssue remotly and i just want to mention one this here that one AD connected data source is working fine but another Data souce is not working also it is connected thorugh NAT.

    My question is does PCNS works between NAT.Regards,

    Shakeel Shahid

    Wednesday, December 23, 2015 6:56 AM
  • Shakeel-

    I'm not entirely sure what is going on with the Setspn tool, but, you can easily add the SPN manually. If you browse to the fimsyncservice account in your fednet domain using AD Users and Computers, you can open the account, go to the attribute editor tab, and add PCNSCLNT/mey-gfip03.sgi.fednet.intra to the servicePrincipalName attribute. Note that you'll need to go to View>Advanced Features in AD Users and Computers for the Attribute Editor tab to be visible.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Wednesday, December 23, 2015 5:08 PM
    Moderator
  • Hello,

    I have installed PCNS in several environments and, in multi-domain (or multi-forest) scenarios, I have registered SPN only in forest/domain where FIM is installed. Even if it was deployment where we have a big forest with FIM (let's say ForestA with DomainAA, DomainAB, DomainAC, DomainAD and DomainAE), SPN was registered in DomainAC, where FIM was installed and where service account was.

    PCNS from other (trusted) forests as DomainB (from ForestB) were installed and pcnsconfig was run, but SPN was registered only in main domain.

    And it works (you have to have trust between forests - it's hardly working without it)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Wednesday, December 30, 2015 12:27 PM
    Wednesday, December 23, 2015 9:42 PM
  • Dear Dominik,

    Basically between these forests the communication is running on NAT and i am just asking that will it work between NAT or not.

    Regards,

    Shakeel Shahid.

    Friday, December 25, 2015 9:49 AM
  • Dear Brian,

    I have multiple forest which is going to connect with fednet AD and my FIM is in Fednet AD Environment. Also my first forest which is called management AD forest is properly connected to my fim and PCNS is working fine and now configuring another forest for PCNS and i am facing the issue in it.

    When i adding SPN on new AD forest which is GOV.Local AD then i am facing this issue and i dont know what is going on behind it.

    I will be highly thankful if you have time to take remote and identity the issue.

    Regards,

    Shakeel Shahid

    Friday, December 25, 2015 10:06 AM
  • HI,

    Actually i was not running the command properly now when i run the proper command the error has been change please see below.

    PS C:\Users\Tra.Admin> setspn.exe -A TRAFimSync/mey-gfis01.sgi.fednet.intra sgi.fednet.intra\fimsyncservice
    Checking domain DC=GOV,DC=Local

    Registering ServicePrincipalNames for CN=FIM Sync Service,OU=FIM,OU=Service Accounts,DC=sgi,DC=fednet,DC=intra
            TRAFimSync/mey-gfis01.sgi.fednet.intra
    Failed to assign SPN on account 'CN=FIM Sync Service,OU=FIM,OU=Service Accounts,DC=sgi,DC=fednet,DC=intra', error 0x2098/8344 -> Insufficient access rights to perform the operation.

    Regards,

    Shakeel Shahid

    Sunday, December 27, 2015 1:57 PM
  • Please try to run the same command in sgi.fednet.intra domain. It should work. If it would be ok, PCNS would work just fine.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Wednesday, December 30, 2015 12:27 PM
    Monday, December 28, 2015 2:35 PM
  • Dear Dominik,

    I am little confuse in it please clear this for me that why should i run this command in sgi.fednet.intra domain because fednet is my target domain and this command should run from source domain because we need to set spn in source domain then we will set target in source domain.

    Please clear this point.

    Regards,

    Shakeel Shahid

    Monday, December 28, 2015 6:33 PM
  • SPN should be registered in domain, where FIM is installed. and from what I've learned from the field - it is enough.  You don't need SPN registered in each domain as during pass sync, SPN from target domain would be queried

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Wednesday, December 30, 2015 12:27 PM
    Monday, December 28, 2015 6:45 PM
  • Dominik,

    You are absolutely rights i was trying on worng DC and thanks you so much.

    Regards,
    Shakeel Shahid

    Tuesday, December 29, 2015 7:18 AM
  • Sir,

    I am facing an issue in FIM PCNS and it will be good if you can help me in it.

    Monday, October 17, 2016 3:00 PM
  • Dear All,

    I am facing this issue while configuring FIM PCNS.

    Log Name:      Application
    Source:        PCNSSVC
    Date:          10/19/2016 4:56:36 PM
    Event ID:      6025
    Task Category: (4)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      ZAK-ADS01.zakat.gov.ae
    Description:
    Password Change Notification Service received an RPC exception attempting to deliver a notification. 

    The password change notification target could not be authenticated.

    User Action:
    This usually happens under the following conditions:
    1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
    2. The SPN is assigned to more than one Active Directory account.
    3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
    4. There is more than 5 minutes of time variance between this system and the target system.

    Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

    Additional Details:

     
    Thread ID: 1132 
    Tracking ID: ec7deb5c-dba0-4ba3-86b8-40c23a585411 
    User GUID: 8a528388-2502-480d-b177-fe6489322607 
    User: ZAKAT\user01.pw 
    Target: ZakatPassSync 
    Delivery Attempts: 2946 
    Queued Notifications: 9 
    0x00000721 - A security package specific error occurred.
     

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 1710
    Flags is 0
    NumberOfParameters is 1
    Long val: 0

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 1461
    Flags is 0
    NumberOfParameters is 0

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 141
    Flags is 0
    NumberOfParameters is 1
    Long val: -2146893053

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 3
    Status is -2146893053 - The specified target is unknown or unreachable
    Detection location is 140
    Flags is 0
    NumberOfParameters is 4
    Long val: 16
    Long val: 6
    Unicode string: PCNSCLNT/MEYGFIS01.sgi.fednet.intra
    Long val: 68126


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="PCNSSVC" />
        <EventID Qualifiers="49152">6025</EventID>
        <Level>2</Level>
        <Task>4</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-10-19T12:56:36.000Z" />
        <EventRecordID>24230</EventRecordID>
        <Channel>Application</Channel>
        <Computer>ZAK-ADS01.zakat.gov.ae</Computer>
        <Security />
      </System>
      <EventData>
        <Data>1132</Data>
        <Data>ec7deb5c-dba0-4ba3-86b8-40c23a585411</Data>
        <Data>8a528388-2502-480d-b177-fe6489322607</Data>
        <Data>ZAKAT\user01.pw</Data>
        <Data>ZakatPassSync</Data>
        <Data>2946</Data>
        <Data>9</Data>
        <Data>0x00000721</Data>
        <Data>A security package specific error occurred.
    </Data>
        <Data>ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 1710
    Flags is 0
    NumberOfParameters is 1
    Long val: 0

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 1461
    Flags is 0
    NumberOfParameters is 0

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 2
    Status is 1825 - A security package specific error occurred.
    Detection location is 141
    Flags is 0
    NumberOfParameters is 1
    Long val: -2146893053

    ProcessID is 5740
    System Time is: 10/19/2016 12:56:36:696
    Generating component is 3
    Status is -2146893053 - The specified target is unknown or unreachable
    Detection location is 140
    Flags is 0
    NumberOfParameters is 4
    Long val: 16
    Long val: 6
    Unicode string: PCNSCLNT/MEYGFIS01.sgi.fednet.intra
    Long val: 68126

    </Data>
        <Data>

    The password change notification target could not be authenticated.

    User Action:
    This usually happens under the following conditions:
    1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
    2. The SPN is assigned to more than one Active Directory account.
    3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
    4. There is more than 5 minutes of time variance between this system and the target system.

    Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

    Additional Details:

    </Data>
      </EventData>
    </Event>

    Wednesday, October 19, 2016 1:03 PM