none
PCNS and FIM 2010 RRS feed

  • General discussion

  • So I am working to deploy/test PCNS in our FIM 2010 deployment, where the source domain for PW's is in one domain/forest, and its trying to send to FIM MA in another domain, untrusted and not part of the forest.  i'm getting errors from PCNS where it cannot reach the destination/target via RPC --- dns is inplace and happy.

     

    i set the custom SPN per http://technet.microsoft.com/en-us/library/cc720654(WS.10).aspx   -- in the source domain where PCNS is installed, do i need to place it in the destination domain as well?  or is the lack of a trust goign to break the ability to use PCNS.

    Wednesday, November 2, 2011 8:48 PM

All replies

  • I'm pretty sure there has to be a trust between the PCNS forest and the FIM forest. I guess you've see this list of PCNS reources? http://social.technet.microsoft.com/wiki/contents/articles/2762.aspx
    http://www.wapshere.com/missmiis
    Wednesday, November 2, 2011 9:01 PM
  • Carol,

         That sure seems to be the case, but i can't find anywhere that it actually states that requirement...  any help there? 

    Thursday, November 3, 2011 1:35 PM
  • The setup of PCNS requires configuration of service principal names (SPNs), which are used in Kerberos authentication.  I don't know that you could have Kerberos authentication without a trust in place.

    Ah, there we go...

    http://technet.microsoft.com/en-us/library/cc720594(WS.10).aspx

    Forest Trusts

    Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.

     

    Where PCNS is concerned, you can substitute FIM for MIIS or ILM in almost any online documentation you find.

    Chris

    Friday, November 4, 2011 4:20 AM