none
Creating users and setting Passwords on other AD forrests => Kerberos-no-logon-server error RRS feed

  • Question

  • We are investigating the possiblility of FIM supporting multiple independent customer ADs i.e. one FIM instance but several AD MAs targetting many forests.

    In our dev environment we have 3 separate virtual domains and I can get them talking to each other by editing the hosts file.

    When I try to set the Password or userAccountControl via FIM I get the Kerberos error. OK. I guess we are forced into putting a complete DNS setup for development.

    HOWEVER,

    if I start a Powershell shell on the FIM server (fim002dfim.fim002d.local) and use ADSI calls I can set the password OK!!! e.g.

    #hunt for user and set password

    $MYobjDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://cust1dc.cust1.local", "cust1\Administrator", "P@ssW0rd"

    $MYobjSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $MYobjSearcher.SearchRoot = $MYobjDomain
    $MYobjSearcher.PageSize = 1000
    $MYobjSearcher.Filter = "(&(objectClass=user)(employeeID=$employeeid))"
    $MYobjSearcher.SearchScope = "Subtree"


    $MYuser = $MYobjSearcher.findone()
    if ($MYuser -eq $null -or $MYuser.count -eq 0) {
        $x = "No user found on Cust1 with employeeID =" + $employeeid
        $x
        exit
    }
    $MYuserDN = $MYuser.path
                    


    $MYuserObj = [ADSI]$MYuserDN
    $x = $MYuserObj.psbase.invoke("SetPassword",$newPass)
    $x = $MYuserObj.Put("pwdLastSet",0)
    $x = $MYuserObj.SetInfo()

    $xx = "Password reset"
    $xx

    I am curious why FIM access via the AD Management Agent is so different from ADSI

    Friday, August 1, 2014 7:05 AM

All replies