none
PCNS Ports RRS feed

  • Question

  • Hi,

    I understand that there are a number of ports that need to be open between a DC and FIM server, when PCNS is configured.

    However, what about between FIM and the target system (eg. ADLDS)?

    If we would like to sync passwords between AD -> FIM -> ADLDS, what ports would I need open between FIM and ADLDS? Does the PCNS follow the port configuration of the MA?

    regards,

    SK

    Thursday, March 8, 2012 10:42 AM

Answers

  • Few things:

    • FIM can only natively source passwords from AD with PCNS. To get your passwords from somewhere else, you would need to build a custom mechanism to do that.
    • Password changes will be submitted to AD LDS and Outlook Live via the ports configured on the MA. Typically that's 636 and 443, respectively.
    • In the event passwords can't be submitted to a target system in real time, there is a mechanism in place to persist them until the retry interval expires. On the FIM server, the persistence store is the mms_tracking_entries table - passwords are encrypted with the key you generate during setup and stored here temporarily until either a) they're submitted to the target MAs succesfully or b) the retry intervals expire.
    • The way the PCNS works on the DC, the password is captured by the password filter, encrypted using DPAPI and queued to disk in a special secure location. The actual PCNS runs in the same security context as the password filter, so it's able to unspool the queue and decrypt the entries. They're then sent to FIM Sync with sealing provided by Kerb. In the event FIM sync is down, PCNS will periodically retry sending the password.

    Hope this helps.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by D Wind Tuesday, March 13, 2012 2:00 AM
    Saturday, March 10, 2012 5:17 PM
    Moderator

All replies

  • Because LDS instances are differentiated on a server by port number, I would think it would follow the server:port configuration in the MA.

    That said, I've never tried making LDS a target myself.

    Chris

    Thursday, March 8, 2012 2:22 PM
  • Thanks, what if we were to use a different source instead of AD LDS?

    My assumption would be that it follows the port configuration of the MA.

    Thursday, March 8, 2012 10:01 PM
  • The only PCNS source I've ever used and am aware of is AD DS.  With AD LDS I was speaking only of the target for password syncs from the perspective of the sync engine.  LDS doesn't have any "machinery" to capture and transmit the password to FIM.

    Regarding port requirements for PCNS communicating to the sync engine, see this thread.


    Chris
    Thursday, March 8, 2012 10:18 PM
  • Hi,

    Perhaps my question is unclear, or I dont understand the mechanism correctly.

    PCNS is installed on all the DCs, and there is a great deal of ports that are used between the DCs and FIM.
    So - does FIM itself store the password?

    Whenthis password has to be synch'ed with another external entity (by FIM), whether it be Outlook Live, or AD LDS, or SQL or whatever - how does the password get from FIM to the target system?

    So, if the Outlook Live MA uses for 443 to communicate to the cloud, will the password travel over port 443 too?

    As from what I recall FIM uses information from the management agent configuration to process password synchronization requests in real time.

    thanks


    btw. Chris, that link unfortunately does not work
    • Edited by D Wind Thursday, March 8, 2012 11:09 PM
    Thursday, March 8, 2012 10:58 PM
  • This might be the link maybe? http://technet.microsoft.com/en-us/library/cc720599(WS.10).aspx At the very bottom of the page there is info on the ADMA and PCNS Ports (its for MIIS 2003 - but it hasn't really changed for FIM).

    I'm not familiar with the Outlook Live MA - but if its using port 443 (i.e. https) I would imagine PCNS would be on the same port.

    Also my understanding is that FIM temporarily "stores" a changing password in memory until all the MAs that are subscribing to password changes have completed the password change in their system.  I wish though they would take the Novell approach and store it using reversible encryption so that the Sync Engine can read a user's current password - very useful for provisioning new accounts for users that already exist.

    Andrew.

    Friday, March 9, 2012 3:42 AM
  • I think FIM may actually store the password encrypted in the database, but only for as long as is necessary to deliver it to all targets as Andrew suggested.  It is processed in real time, not as part of the import/sync/export process the sync engine otherwise follows.

    In the case of the Outlook Live MA using port 443 for its web service calls, the same is done with the password synchronization. 

    Passwords are sent out to the target systems via a password extension.  There must be a DLL specified in the extensions tab of the management agent properties that holds the code for the synchronization, along with all the necessary other configuration pieces. 

    Chris

    Friday, March 9, 2012 4:04 AM
  • On Fri, 9 Mar 2012 03:42:13 +0000, Andrew Silcock wrote:

    I wish though they would take the Novell approach and store it using reversible encryption so that the Sync Engine can read a user's current password - very useful for provisioning new accounts for users that already exist

    Reversible encryption is a horribly insecure method to secure passwords.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Programming just with goto's is like swatting flies with a sledgehammer.

    Friday, March 9, 2012 6:06 AM
  • Few things:

    • FIM can only natively source passwords from AD with PCNS. To get your passwords from somewhere else, you would need to build a custom mechanism to do that.
    • Password changes will be submitted to AD LDS and Outlook Live via the ports configured on the MA. Typically that's 636 and 443, respectively.
    • In the event passwords can't be submitted to a target system in real time, there is a mechanism in place to persist them until the retry interval expires. On the FIM server, the persistence store is the mms_tracking_entries table - passwords are encrypted with the key you generate during setup and stored here temporarily until either a) they're submitted to the target MAs succesfully or b) the retry intervals expire.
    • The way the PCNS works on the DC, the password is captured by the password filter, encrypted using DPAPI and queued to disk in a special secure location. The actual PCNS runs in the same security context as the password filter, so it's able to unspool the queue and decrypt the entries. They're then sent to FIM Sync with sealing provided by Kerb. In the event FIM sync is down, PCNS will periodically retry sending the password.

    Hope this helps.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by D Wind Tuesday, March 13, 2012 2:00 AM
    Saturday, March 10, 2012 5:17 PM
    Moderator
  • Thanks Brian!
    Tuesday, March 13, 2012 2:00 AM