KDC_ERR_BADOPTION error on password sync for FIM server RRS feed

  • Question

  • Hi Everyone,

    I have odd problem in a our dev environment that I am trying to solve when syncing passwords from Forest 1 - Domain A to Forest 2 - Domain B (no trust).  I get the following error when syncing a password from Forest 1 - Domain A to FIM server (rollup 2)  in this domain to an account in Forest 2 - Domain B.  The specific error is:  

    A Kerberos Error Message was received:
     on logon session 
     Client Time: 
     Server Time: 0:12:33.0000 3/12/2013 Z
     Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc00000bb KLIN(0)
     Client Realm: 
     Client Name: 
     Server Realm: ACME.COM
     Server Name: svc_FIMSyncrhoDEV@ACME.COM
     Target Name: svc_FIMSyncrhoDEV@ACME.COM@ACME.COM
     Error Text: 
     File: 9
     Line: f09
     Error Data is in record data.

    The FIM server which resides in Forest 1 - Domain can read and write via the AD MA Forest 2 - Domain B without issue.  The FIM server is clearly receiving password changes from PCNS and can successfully set passwords for a custom MA that uses a simple non-kerberos LDAP bind.  We have confirmed that the ports are open on these target machines.  SPNs set for FIM sync account since the password is clearly being delivered to the FIM server.  The FIM server finds Forest 2 - Domain B via a host file on the local FIM server.  

    Basically, the FIM server works fine Forest 1 - Domain with Forest 2 - Domain B with the exception of this error.  I am not a Kerberos person so any thoughts on this would be greatly appreciated!

    Tuesday, March 12, 2013 12:40 AM


All replies