Troubleshooting PCNS

Scope

Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".

Reference documents

1. Implementing the Automated Password Synchronization Solution - Step-by-Step
2. Automated Password Synchronization Solution Guide for MIIS 2003 (download here)
3. Microsoft Identity Integration Server 2003 Scenarios with
4. MIIS 2003 walkthrough: Password Synchronization doc
5. Password Synchronization Port Settings (in management agent  port, rights and permissions, download here)
6. Sync engine Help  

Tasks

Check Requirements

- Verifiy the requirements for forest trusts. Also, verify forest and domain levels (cannot be mixed mode).

• Cfr. reference (2): "/../ In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication. PCNS and MIIS 2003 can be in different forests only if the forests have cross-forest trusts. /../"

PCNS Schema update info

- Make sure the PCNS schema update has been installed and replicated properly.

• See sync engine help

Schema Object Classes Added by the PCNS** **

Schema attributes Added by the PCNS** **

AD Replication

- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)

• DCDIAG overview
• Netdiag

PCNS Installation on DCs

- Verify PCNS has been installed on all AD domain controllers (See: Step 1: Install PCNS on All Active Directory Domain Controllers in the Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)

Verbose logging

- Enable verbose logging for PCNS and the sync engine

• See paragraph "Setting Log Levels" in the password synchronization walkthrough doc

Clock

•  Verify clock setting/time skew between password source, password target and sync engine server
• Authentication Errors are Caused by Unsynchronized Clocks
• Kerberos Troubles

DNS

•  Verify DNS name resolution. PCNS must be able to find the sync engine

Port Settings

• Verify PCNS port settings and availability
• see reference doc (5)

Minimum Permissions

Communication Protocols and Ports

Rights

•  - Make sure the service account used in the target MA has sufficient rights to set the password.
• - Verify firewall configuration, between servers or on the servers themselves

Service configuration

• - Verify PCNS configuration (check for the details on server, service, service account naming)
  • use "Pcnscfg LIST" command, see the step-by-step guide (1)
• Verify SPN configuration
  • See this KB article to install setspn.exe (See section : Configure a service principal name for the domain user account)
  • use setspn –L <MIIS service account>, where <MIIS service account> is the service account running the synchronization service. The output of the command should be:  PCNSCLNT/server_fully_qualified_name   Example: PCNSCLNT/SYNCSRV.contoso.com

Sync engine

•  Check if password sync has been enabled **on sync engine **server (Tools > options)

Screenshot from FIM 2010:

•  Check if password source MA (AD MA) has been configure properly

•  Check if password target MA has been configured properly for password change

Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:

•  "target could not be authenticated" (on ILM vs. FIM forum)
•  "exceeded the maximum retry limit" (on ILM vs FIM forum)
•  PCNS "RPC server is unavailable" (on ILM vs FIM forum)
•  PCNS "forest trust" (on ILM vs FIM forum)
• - ...

See Also

• FIM Password Synchronization (PCNS) Resource Wiki
• PCNS Logging
• Troubleshooting FIM 2010 Roadmap
• Current Identity Lifecycle Manager Resources 
• Current Forefront Identity Manager Resources