none
PCNS error RRS feed

  • Question

  • Hi,

    We are using Forefront Identity Manager to sync 2 Active Directory domains.

    Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.

    Now we want to use password sync from B to A. As mentioned in https://technet.microsoft.com/en-us/library/jj590288(v=ws.10).aspx, PCNS agent has been installed on all domain controlers for B.

    Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.

    We have configured FIM as explained, created a SPN entry on DomainB and target.

    But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs :  Status is -2146893053 -  The target is unknown

    On server side, we can find this log : An error has occurred during authentication to the password notification source.

    0x80070534: no mapping between account names and security IDs...

    Indeed, when configuring spn, we created on domain B

    setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.

    What should be the way to sync password when the FIM server is not in the source domain ?

    BR,








    Emmanuel IT

    Wednesday, February 1, 2017 11:43 AM

Answers

  • Hi,

    Yes it was "only" a quick copy/paste error.

    We found what happened and it worked : this was a DNS issue, after checking all spn and PCNS targets, and thus DNS redirectors, we forced a reboot for each controler and FIM server. After reboot, all worked well.

    Thanks for all of your advices.

    BR,


    Emmanuel IT

    Wednesday, February 1, 2017 9:26 PM

All replies

  • Hello Emmanuel,

    SPN is needed in the domain that hosts FIM, not in the PCNS service domain.

    I believe you have trust between them, right?


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, February 1, 2017 1:03 PM
  • Hi,

    In the FIM domain, FIM Sync service runs as DOMAINFIM\FIMSYNCUSER.

    In the FIM domain, spn has been set to

       setspn.exe -a PCNS/fimserver.domainfim.local DOMAINFIM\FIMSYNCUSER

    In the PCNS domain,

    .\Pcnscfg.exe addtarget /n:FIM /a:fimserver.domainfim.local /s:PCNS/PCNS/fimserver.domainfim.local /fi:"Domains users" /f:3

    PCNS server seems to talk to FIM server (wireshark), but not log on FIM server (?) and error.

    Trust has been set between the two domains.


    Emmanuel IT

    Wednesday, February 1, 2017 5:26 PM
  • .\Pcnscfg.exe addtarget /n:FIM /a:fimserver.domainfim.local /s:PCNS/PCNS/fimserver.domainfim.local /fi:"Domains users" /f:3

    or

    .\Pcnscfg.exe addtarget /n:FIM /a:fimserver.domainfim.local /s:PCNS/fimserver.domainfim.local /fi:"Domains users" /f:3 ?

    should be the second one. - no pcns/pcns/...


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, February 1, 2017 8:32 PM
  • Hi,

    Yes it was "only" a quick copy/paste error.

    We found what happened and it worked : this was a DNS issue, after checking all spn and PCNS targets, and thus DNS redirectors, we forced a reboot for each controler and FIM server. After reboot, all worked well.

    Thanks for all of your advices.

    BR,


    Emmanuel IT

    Wednesday, February 1, 2017 9:26 PM