Issue with establishing PAM trust RRS feed

  • Question

  • Hi All,

    I am facing issues while establishing PAM trust.

    Here is my scenario. I have a root domain(RD) and under that a sub domain(SD). The SD contains all the groups and users. Tree root trust already exist between RD and SD. I am trying to establish PAM trust. I gave new PAM trust to SD by giving the Source domain as SD. But it is failing stating that the username or password is incorrect. i had provided SD\domain admin credentials.

    If i give the same credentials to establish trust between RD and PRIV then it is success. I wanted to know if it is the expected behavior.

    I performed the netdom command alternative to establish trust to SD and it worked. But the Test-PAMtrust fails and also the New-PAMGroup fails stating that the username or password is incorrect. I checked the Audit logs of the SD and the Audit Success logs are getting registered for the account I am trying to use. Please let me know how to debug/fix this issue.

    Monday, December 12, 2016 3:18 PM

All replies

  • What version of MIM are you using? There are known problems with the New-PAMDomainConfiguration cmdlets using MIM RTM, but are believed to be resolved in MIM SP1. 

    The single New-PAMTrust cmdlet performs three netdom commands and it is acceptable to use netdom instead of the cmdlet:

    netdom trust / /userO:contoso\administrator /password:Pa$$word1 /add

    netdom trust / /EnableSIDHistory yes /userO:contoso\administrator /password:Pa$$word1

    netdom trust / /quarantine no /userO:contoso\administrator /password:Pa$$word1

    The New-PAMDomainConfiguration only creates the $$$ domain local security group and sets permissions on it, so that can be done manually too.

    As to why it is failing, I believe some of the PowerShell cmdlets have a verbose switch that you can try.  Sometimes that helps.  Other times I resort to using netdom.

    See also MIM PAM FAQ


    Jeff Ingalls

    Monday, December 12, 2016 7:36 PM
  • Hi, we had the same problems, and eventually had to get everything ready using the old commands (e.g. netdom, etc)...the PAM cmdlets failed everytime.
    Tuesday, December 13, 2016 3:28 AM
  • Hi,

    We are currently in the version MIM 2016 v4.3.2195. Havent upgraded to SP1. 

    The netdom commands are working and we are able to establish the trust. We put the verbose flag and ran the commands once more. The following error was received.

    "Reason: System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The user name or password is incorrect."

    But the credentials are correct and the Login successful audit is logged in the DC. But still the PRIV DC doesnt accept the credentials. If i run the same for enabling trust for the RD it is successful. 

    The problem now is all the trust and all is setup (using netdom). The PAM Group creation is also ailing with the same error.

    SD is the subdomain where all the groups are present. The PAM trust is enabled against the Forest and also to the subdomain.

    PS C:\Windows\system32> $pg = New-PAMGroup –SourceGroupName "samplegroup" -SourceDomain "SD" -SourceDC "SDC" -Credentials (get-credential) -Verbose

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    VERBOSE: Type:Warning, Msg:Unable to create shadow group 'samplegroup'  in domain 'SD'. Exception:
    'System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The user name or password is incorrect.

       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
       at System.DirectoryServices.DirectorySearcher.FindOne()
       at Microsoft.ResourceManagement.Utilities.ActiveDirectoryHelper.GetNetbiosDomainName(String fqdnDomainName, String
    userName, SecureString password)
       at Microsoft.ResourceManagement.Utilities.ActiveDirectoryHelper.get_DomainNetBios()
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamGroupManager..ctor(PAMSession pamSession, String corpDomain,
    String corpUsername, SecureString corpPassword, String privAdContainer)
       at Microsoft.IdentityManagement.AdminPamCmdlets.NewPamGroupUserCommand.ProcessRecord()'.
    New-PAMGroup : The user name or password is incorrect.
    At line:1 char:7
    + $pg = New-PAMGroup –SourceGroupName "samplegroup" -SourceDomain "SD"  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [New-PAMGroup], DirectoryServicesCOMException
        + FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.AdminPamCmdlets.NewPamGroupUserCommand

    Tuesday, December 13, 2016 9:56 AM
  • Hi,

    How did you tackle the PAMgroup there any other alternative?

    Tuesday, December 13, 2016 9:56 AM
  • Run these commands to verify trust and config:

    Import-Module MIMPAM

    $ca = Get-Credential

    Test-PAMTrust -SourceForest "" -Credentials $ca #use FQDN of domain; should respond with True. If not then remove and recreate your trust.

    Test-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca #use NETBIOS of domain. Should respond that SID history is enabled and SID filtering is not enabled and CONTOSO$$$ exists

    Assuming that all works, login to the PAM server as the MIMAdmin account (account that is an admin and has an object in the Portal), then run:

    Import-Module MIMPAM

    $ca = get-credential -username contoso\administrator -message "enter any contoso domain admin creds here"

    New-PAMGroup -SourceGroupName "ContosoAdmins" -SourceDomain -SourceDC $ca  #note we use fqdn for source domain and DC name


    Jeff Ingalls

    Tuesday, December 13, 2016 3:54 PM