locked
PCNS: The password change notification target could not be authenticated. RRS feed

  • Question

  • Hello,

    I try to implement PCNS on a prototype with one MIIS Server and one Domain Controller. I installed PCNS on the Domain Controller and set up the SPN as indicated in the documentation :

    setspn -A PCNSCLNT/MIIS.domain.com domain\servicemiis

    PCNSCFG.exe addtarget /n:MIISSERVER  /a:MIIS.domain.com  /s:PCNSCLNT/MIIS.domain.com  /fi:"Domain Users" /f:1

     I also activated the the root of the Domain Controller as Password Synchronisation source. I didn't declare any target for the moment but the problem exusts  also with a SUN one MA target defined.

    When I looked at the documentation for the "Password Management", Microsoft gives a check list. I run it and retrieve all the information I provided :

    C:\Program Files\Microsoft Password Change Notification>setspn -L domain\servicemiis
    Registered ServicePrincipalNames for CN=servicemiis,CN=Users,DC=domain,DC=com:
        PCNSCLNT/MIIS.domain.com

    C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe List
    The service configuration is not set. Defaults will be used by the service.

    Default Service Configuration
      MaxQueueLength........: 0
      MaxQueueAge...........: 259200 seconds
      MaxNotificationRetries: 0
      RetryInterval.........: 60 seconds

    Targets
      Target Name...........: MIISSERVER
      Target GUID...........: 0F046F2E-4B39-4F27-B004-9BEF4E9E6836
      Server FQDN or Address: MIIS.domain.com
      Service Principal Name: PCNSCLNT/MIIS.domain.com
      Authentication Service: Kerberos
      Inclusion Group Name..: domain\Domain Users
      Exclusion Group Name..:
      Keep Alive Interval...: 0 seconds
      User Name Format......: 1
      Queue Warning Level...: 0
      Queue Warning Interval: 30 minutes
      Disabled..............: False

    Total targets: 1

    I change the password for one user and I obtain every minute the same error :

    Password Change Notification Service received an RPC exception attempting to deliver a notification.

    The password change notification target could not be authenticated.

    User Action:

    This usually happens under the following conditions:

    1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.

    2. The SPN is assigned to more than one Active Directory account.

    3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.

    4. There is more than 5 minutes of time variance between this system and the target system.

    Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

    Additional Details:

    Thread ID: 5028

    Tracking ID: e39f84bd-f0b5-4463-8045-1fe26a64c1d9

    User GUID: ec4a3c5b-3b2d-4aff-83a9-90fae86b26c0

    User: CN=TOTO Tutu,OU=FR,OU=countries,DC=domain,DC=com

    Target: MIISSERVER

    Delivery Attempts: 134

    Queued Notifications: 1

    0x00000721 - A security package specific error occurred.

    ProcessID is 4132

    System Time is: 11/28/2006 16:29:46:851

    Generating component is 2

    Status is 1825 - A security package specific error occurred.

    Detection location is 1461

    Flags is 0

    NumberOfParameters is 0

    ProcessID is 4132

    System Time is: 11/28/2006 16:29:46:851

    Generating component is 2

    Status is 1825 - A security package specific error occurred.

    Detection location is 141

    Flags is 0

    NumberOfParameters is 1

    Long val: -2146893053

    ProcessID is 4132

    System Time is: 11/28/2006 16:29:46:851

    Generating component is 3

    Status is -2146893053 - The specified target is unknown or unreachable

    Detection location is 140

    Flags is 0

    NumberOfParameters is 4

    Long val: 16

    Long val: 6

    Unicode string: PCNSCLNT/MIIS.domain.com

    Long val: 68126

    I tried to search for the same error and I find approximatively the same issue but no one of the solution helps me. I'm affraid that they don't solve "The password change notification target could not be authenticated" issue.

    So if someone has an idea or want more information.

    Thank you beforehand for your help,

    Regards,

    JF LOMBARDO

    Tuesday, November 28, 2006 4:35 PM

Answers

  • Thank you Craig, the reboot help me but not in the way you think it.

    I had an event from my KDC that tell me there were PCNSCLNT/MIIS/domain.com declared for different account. I found a declaration that remained of an old configuration.

    After cleanning it, notifications are correctly send.

    Regards,

    JF LOMBARDO

    Friday, December 1, 2006 9:54 AM

All replies

  • Something to check: make sure the MIIS service is logging on as "domain\servicemiis".

    Also, I'm pretty sure the DC needs to be rebooted after the PCNS installation.

    Tuesday, November 28, 2006 6:01 PM
  • Thanks for your answer Craig.

    I already check the service logon issue and that is not linked to that.

    I plan a reboot for tomorrow. I keep you inform if this resolves or not my issue.

    Regards,

    JF LOMBARDO

    Wednesday, November 29, 2006 9:16 AM
  • Thank you Craig, the reboot help me but not in the way you think it.

    I had an event from my KDC that tell me there were PCNSCLNT/MIIS/domain.com declared for different account. I found a declaration that remained of an old configuration.

    After cleanning it, notifications are correctly send.

    Regards,

    JF LOMBARDO

    Friday, December 1, 2006 9:54 AM
  • Thank you Craig, the reboot help me but not in the way you think it.

    I had an event from my KDC that tell me there were PCNSCLNT/MIIS/domain.com declared for different account. I found a declaration that remained of an old configuration.

    After cleanning it, notifications are correctly send.

    Regards,

    JF LOMBARDO


    Hi Jean  HOW CAN I KNOW IF MY PCNSCLNT/MIIS/DOMAIN.COM  is declared for different account ?????

    thnks

    and how I could clean it ??? 

    Tuesday, July 6, 2010 3:17 PM