LinkBack URL
About LinkBacksIs anyone using this setup? Im having a bit of an issue with the passwords not syncing..
Is anyone using this setup? Im having a bit of an issue with the passwords not syncing..
Bit more info, if it means anything to anyone:
Ive set my spn like this:
where dc1 is the server running ILM, mydomain.com is the domain, and ilm is the Service account Ive created.Code:setspn -a PCNSCLNT/dc1.mydomain.com mydomain\ilm
That seemed to work OK.
But when I tried to run the pcnscfg.exe I got an error that the SPN was not found in the domain:
I get this warning:Code:pcnscfg addtarget /n:PCNSCLNT /a:dc1.mydomain.com /s:PCNSCLNT /fi:"Students" /f:3
Could someone please point out any mistakes in my commands please/Warning: The Service Principal Name you specified could not be found on any accounts in this domain. This target configuration will not be able to deliver passwords if the Service Principle Name is not configured properly.
It might be worth posting on the outlook live administrators forum, I'm not using ILM myself so can't help out
I'm guessing you've read through this already but just in case here's the step by step info on PCNS
Implementing the Automated Password Synchronization Solution - Step-by-Step
I've also read about gotchas with password complexity differences between AD and Live so watch out for those at some point as well.
I'm not best convinced by this setup at the moment, hoping Forefront 2010 has a simpler system for managing the passwords. As it stands we're lucky that we won't have to worry about it as we're assigning random number sequences for our students (so many part-time ones we really don't want to be managing password resets all day long!)
Cheers, done that. Also logged an issue with the live@edu helpdesk so will hopefully hear somehting soon.Originally Posted by nadeem
Butters (18th March 2010)
Aye thats what Ive been following.. its the PCNSCLNT bit and the miis thing Im a bit confused about.
Weve already forced a password policy update domain wide in anticipation of live@edu, and Ive got ILM provisioning the accounts no worries with just it doing a random passowrd, its just the creating the accounts and sending up their existing passwords Im failing at.
PS. ILM for live@edu seems to be really reasonably priced for education
OK so I have resolved this issue myself...
The line should have been
So now that bit works..Code:pcnscfg addtarget /n:PCNSCLNT /a:dc1.mydomain.com /s:PCNSCLNT/dc1.mydomain.com /fi:"Students" /f:3
But the password sync is still failing badly..
Password sync is not working. When i do the StartSync -Firstrun, it creates the users, and I get no errors in the event log. However I cannot login the new users with their AD password. When I try to just change a users password that has just been created. I get the following errors:
Could someone please have a look through the errors above, and see if they can spot anything obvious please?Code:Log Name: Application Source: PCNSSVC Date: 19/03/2010 2:50:37 PM Event ID: 2100 Task Category: (1) Level: Information Keywords: Classic User: N/A Computer: DC5.mydomain.com Description: The password notification has been delivered to all targets. Tracking ID: a00c2d15-68b8-463a-ae6c-a49fe96dac30 User GUID: 508df6ed-949a-4444-9559-157984865ee2 User: ADMINISTRATION\208222 Targets: PCNSCLNT Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="PCNSSVC" /> <EventID Qualifiers="16384">2100</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-03-19T03:50:37.000Z" /> <EventRecordID>4495</EventRecordID> <Channel>Application</Channel> <Computer>DC5.mydomain.com</Computer> <Security /> </System> <EventData> <Data>a00c2d15-68b8-463a-ae6c-a49fe96dac30</Data> <Data>508df6ed-949a-4444-9559-157984865ee2</Data> <Data>ADMINISTRATION\208222</Data> <Data>PCNSCLNT</Data> <Data> </Data> </EventData> </Event> -------------------------- Log Name: Application Source: OLMA Date: 19/03/2010 2:50:41 PM Event ID: 1010 Task Category: (1) Level: Error Keywords: Classic User: N/A Computer: DC5.mydomain.com Description: Access is denied. Error Message: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="OLMA" /> <EventID Qualifiers="49156">1010</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-03-19T03:50:41.000Z" /> <EventRecordID>4496</EventRecordID> <Channel>Application</Channel> <Computer>DC5.mydomain.com</Computer> <Security /> </System> <EventData> <Data>Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.</Data> </EventData> </Event> --------------- Log Name: Application Source: MSExchange Common Date: 19/03/2010 2:50:41 PM Event ID: 4999 Task Category: (1) Level: Error Keywords: Classic User: N/A Computer: DC5.mydomain.com Description: The description for Event ID 4999 from source MSExchange Common cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: 652 E12 c-buddy-DBG-x86 14.00.0650.021 miiserver M.E.GALSync.ManagementAgent M.E.X.PSDataProvider.InvokeCmdlet M.MetadirectoryServices.AccessDeniedException 3422 14.00.0650.021 False the message resource is present but the message is not found in the string/message table Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange Common" /> <EventID Qualifiers="16388">4999</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-03-19T03:50:41.000Z" /> <EventRecordID>4497</EventRecordID> <Channel>Application</Channel> <Computer>DC5.mydomain.com</Computer> <Security /> </System> <EventData> <Data>652</Data> <Data>E12</Data> <Data>c-buddy-DBG-x86</Data> <Data>14.00.0650.021</Data> <Data>miiserver</Data> <Data>M.E.GALSync.ManagementAgent</Data> <Data>M.E.X.PSDataProvider.InvokeCmdlet</Data> <Data>M.MetadirectoryServices.AccessDeniedException</Data> <Data>3422</Data> <Data>14.00.0650.021</Data> <Data>False</Data> <Data> </Data> </EventData> </Event> --------------- Log Name: Application Source: MIIServer Date: 19/03/2010 2:50:41 PM Event ID: 6800 Task Category: (7) Level: Error Keywords: Classic User: N/A Computer: DC5.mydomain.com Description: The password management extension encountered an error. The stack trace is: "Microsoft.MetadirectoryServices.PasswordExtensionException: Error in the application. at Microsoft.Exchange.XmaConnector.PSDataProvider.ReportError(Exception e, ScorecardCounter scorecard) at Microsoft.Exchange.XmaConnector.PSDataProvider.InvokeCmdlet(PSCommand cmd) at Microsoft.Exchange.XmaConnector.PSDataProvider.SetDataObject(String task, Dictionary`2 csentry, String[] supportedParameters, Dictionary`2 defaultValues) at Microsoft.Exchange.XmaConnector.PSDataProvider.SetSyncMailbox(Dictionary`2 csentry) at Microsoft.Exchange.XmaConnector.XmaExportExLabs.SetPassword(Dictionary`2 Entry) at Microsoft.Exchange.XmaConnector.PWExtension.IlmPWExtension.SetPassword(CSEntry csentry, String NewPassword) at Microsoft.Exchange.XmaConnector.PWExtension.IlmPWExtension.SetPassword(CSEntry csentry, String NewPassword) Microsoft Identity Integration Server 3.3.1139.2" Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MIIServer" /> <EventID Qualifiers="49152">6800</EventID> <Level>2</Level> <Task>7</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-03-19T03:50:41.000Z" /> <EventRecordID>4498</EventRecordID> <Channel>Application</Channel> <Computer>DC5.mydomain.com</Computer> <Security /> </System> <EventData> <Data>Microsoft.MetadirectoryServices.PasswordExtensionException: Error in the application. at Microsoft.Exchange.XmaConnector.PSDataProvider.ReportError(Exception e, ScorecardCounter scorecard) at Microsoft.Exchange.XmaConnector.PSDataProvider.InvokeCmdlet(PSCommand cmd) at Microsoft.Exchange.XmaConnector.PSDataProvider.SetDataObject(String task, Dictionary`2 csentry, String[] supportedParameters, Dictionary`2 defaultValues) at Microsoft.Exchange.XmaConnector.PSDataProvider.SetSyncMailbox(Dictionary`2 csentry) at Microsoft.Exchange.XmaConnector.XmaExportExLabs.SetPassword(Dictionary`2 Entry) at Microsoft.Exchange.XmaConnector.PWExtension.IlmPWExtension.SetPassword(CSEntry csentry, String NewPassword) at Microsoft.Exchange.XmaConnector.PWExtension.IlmPWExtension.SetPassword(CSEntry csentry, String NewPassword) Microsoft Identity Integration Server 3.3.1139.2</Data> </EventData> </Event>
I deleted the whole ILM server (joys of virtualisation) and started fresh.
Took me the whole day (started at 11am and its now 11pm) But I now have ILM syncing passwords with Live@edu
Hello can't figure out the syntax to configure the Pcnscfg.exe I get this error:
'Pcnscfg.exe' is not recognized as an internal or external command,
operable program or batch file.
I followed these instructions: Implementing the Automated Password Synchronization Solution - Step-by-Step
and tried also not putting the extension .exe, but I still get the same issue.
When I finish step 2 I checked if the installation went thru fine and this is the out put to the setspn -L OLSync command: "Registered ServicePrincipalNames for CN=OLSync,CN=Users,DC=adtest,DC=byuh,DC: "
Seems to be configured correctly but now I'm stuck because when I go to the next step I that message that PCNSCFG is not recognized.
Can some one help please?
Thanks
Manu
P.S.
I wrote the same question on the Outlook live answers website but I keep getting ignored...very frustrating.
The output to your setspn -L OLSync is incorrect. It should actually give you an extra line after that
What command did you run for the setspn?Code:C:\>setspn -L ILMServiceAccount Registered ServicePrincipalNames for CN=ILMServiceAccount,CN=Users,DC=admin,DC=myschool,DC=nsw,DC=edu,DC=au: PCNSCLNT/ilm.admin.myschool.nsw.edu.au
This is the command that I ran:setspn.exe -A PCNSCLNT/DCTEST.ADTEST.xxx.EDU\OLSync
DCtest is the test domain controller adtest.xxx.edu is the domain and OLSync is the account that I created to run OLsync.
What am I doing wrong?
Is this why the 'Pcnscfg.exe' is not working?
Thanks
Manu
then the PCNS line would beCode:setspn.exe -A PCNSCLNT/DCTEST.ADTEST.xxx.EDU nameofyourdomain\OLSync
Where it says Domain Users, you can change that to a more specified group. Eg, I used a group called Students.Code:pcnscfg.exe addtarget /n:PCNSCLNT /a:DCTEST.ADTEST.xxx.EDU /s:PCSNCLNT/DCTEST.ADTEST.xxx.EDU /fi:"Domain Users" /f:3
Make sure you clear any wrong entries by usingandCode:setspn.exe -D <name of the wrong one>You can check what they look like withCode:pcsncfg.exe DELETETARGET /n:<name of the wrong one>andCode:setspn.exe -L OLsynchope this helpsCode:pcnscfg.exe -LIST
Thanks Rabbieburns now I get the correct code for setspn, but no matter what I write I get the same error for the PCNSCFG, I tried to change folder from where I executed it but still the same. I tried to do a search for the actual file on the computer but I could not find it. I believe not to be installed, where do I get it and install it?
Thanks
Manu
Its on the ILM cd in a folder \MIIS\Password Synchronization\ there is a x86 and x64 version.
You need to install it on every single one of your Domain Controllers.
and then you need to change to the C:\Program Files\Microsoft Password Change Notification\ folder and run the command from there
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
