Implementing the Automated Password Synchronization Solution - Step-by-Step

Applies To: Forefront Identity Manager

This document provides step-by-step instructions for implementing the automated password synchronization solution that is described in Automated Password Synchronization Solution Guide for MIIS 2003 at https://go.microsoft.com/fwlink/?LinkId=81749. You will follow these steps to implement the solution:

  • Step 1: Install PCNS on All Active Directory Domain Controllers

  • Step 2: Configure the Service Principal Name (SPN)

  • Step 3: Configure PCNS

  • Step 4: Configure the Management Agents

  • Step 5: Enable Password Synchronization

Step 1: Install PCNS on All Active Directory Domain Controllers

To install Password Change Notification Service (PCNS) on a computer running Microsoft Windows®, you use the Password Change Notification Service.msi file. The file is located on the MIIS 2003 installation CD in the Password Synchronization folder.

Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if the Active Directory® directory service schema must be updated to include object classes and attributes that PCNS requires, the user must be a member of the Schema Admins group.

During PCNS installation, MIIS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.

Note

To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components. To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups. The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see MIIS 2003 Help.

To install PCNS

  1. On the MIIS 2003 SP1 installation CD, double-click the Password change Notification Service.msi icon.

    Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

  2. In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

  3. In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

  4. Click Install to begin the installation.

  5. Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command-line prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  3. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  4. Verify that the following events from Pcnssvc.exe are in the log:

    • 2105 – PCNS has started.

    • 2102 – Target <MIIS 2003 server name> is enabled. Password changes will be queued for this MIIS 2003 target server.

    The presence of these events confirms that PCNS has started successfully.

Step 2: Configure the Service Principal Name (SPN)

MIIS 2003 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server® 2003 Support Tools on the Windows Server 2003 installation CD.

To configure the SPN using Setspn.exe

  • At a command-line prompt, type the commands shown by the following syntax:

    Setspn.exe -a <user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

    For example:

    Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

    The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.

To verify the SPN setting for MIIS 2003

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type setspn –L <MIIS service account>, and then press ENTER.

  3. Verify that the following SPN is registered for the <MIIS service account>: PCNSCLNT\<MIIS server host name>

Step 3: Configure PCNS

To ensure that password change notifications that are sent to the authoritative forests are propagated to all connected directory sources, you configure inclusion and exclusion groups, and also configure Pcnscfg.exe.

Configure Inclusion and Exclusion Groups

To configure PCNS, you must configure an inclusion group, and optionally, an exclusion group. Inclusion and exclusion groups must be security groups. As the names imply, members of these groups are users who are either included or excluded from password synchronization. If you have an existing group for users who must participate in password synchronization, you can specify that group. If not, create a new group. For example you can create a group called PasswordSyncUsers for all users whose passwords you want to synchronize.

Note

Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group.

Configure Pcnscfg.exe

You use Pcnscfg.exe, a command-line tool, to configure PCNS to process password change requests. Pcnscfg.exe installs with PCNS into the Microsoft Password Change Notification folder, which is in the Program Files folder, on each domain controller. You use Pcnscfg.exe to configure PCNS to send password change notifications to a specific target server running MIIS 2003. For complete documentation about Pcnscfg.exe, see MIIS 2003 Help.

To configure PCNS using Pcnscfg.exe

  • At a command-line prompt, type the commands shown by the following syntax:

    Pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running MIIS 2003> /a:<fully-qualified domain name of the server running MIIS 2003> /s:<the SPN for the MIIS 2003 server> /fi:<the specified inclusion group> /f:3

    For example:

    Pcnscfg.exe addtarget /n: miisdemo /a: fab-dev-01.usergroup.fabrikam.com /s: PCNSCLNT/fab-dev-01.usergroup.fabrikam.com /fi: “Domain Users” /f:3

    You must use a fully-qualified domain name for successful authentication between PCNS and MIIS 2003.

To verify configuration of MIIS 2003 as a target for PCNS

  1. Log on to an Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command-line prompt, navigate to the PCNS installation directory, which is typically C:\Program Files\Microsoft Password Change Notification.

  3. Type Pcnscfg LIST, and then press ENTER.

  4. Verify that the output listing corresponds to the settings that you configured earlier.

    You should see the MIIS 2003 server name, the SPN for the MIIS 2003 service account, the authentication type, the inclusion groups, and any exclusion groups that you configured.

Step 4: Configure the Management Agents

In this step, you configure the Management Agent for Active Directory to push password change requests to the targeted connected directory sources. You also configure the target management agents to receive and process password change requests that PCNS sends from the authoritative Active Directory domain.

Note

You do not have to run the management agents for password synchronization to occur. MIIS 2003 uses information from the management agent configuration to process password synchronization requests in real time.

Configure the Management Agent for Active Directory

Because Active Directory is the only supported password source for password synchronization, all password change requests must be sent to MIIS 2003 by the Management Agent for Active Directory. Also, management agents that are targeted to receive password change notifications from the Active Directory domain must be enabled in the Management Agent for Active Directory.

To configure the Management Agent for Active Directory to receive password change requests

  1. In Identity Manager, open Properties for the Management Agent for Active Directory.

  2. Select the partition from the list, and then, in Password Synchronization, select Enable this partition as a password synchronization source.

  3. Click Targets to display the Target Management Agents dialog box.

  4. Select the management agents to be the targets to receive password change notifications from the authoritative Active Directory domain.

  5. Optionally, under Specify maximum number of password changes for a 24 hour period, change the default setting, which is 5.

Configure the Target Management Agents

You now individually configure the management agents for the connected data sources that will receive password change notifications from the authoritative Active Directory domain.

To configure a target management agent for a connected data source

  1. In Identity Manager, open Properties for the management agent that you want to configure.

  2. For Configure Extension, select Enable password management. This enables both password synchronization and the Windows Management Instrumentation (WMI) interface for the management agent.

  3. Optionally, click Settings to configure any of the following options:

    • Maximum retry count – Specifies the number of times MIIS 2003 attempts to push a password change to the connected data source when there are connectivity errors.

    • Retry interval (seconds) – Specifies how much time elapses between retry attempts.

    • Require secure connection for password synchronization operations –Specifies that a secure connection to the connected data source is required before the management agent attempts to push a password change to that connected data source. If you do not select this option, the management agent pushes the password change to the connected data source regardless of the security level. Examples of secure connections are Secure Sockets Layer (SSL) and "Sign and encrypt LDAP traffic."

Step 5: Enable Password Synchronization

You must enable password synchronization to allow management agents configured for password synchronization to receive and send password change notifications.

To enable password synchronization for MIIS 2003

  1. In Identity Manager, on the Tools menu click Options.

  2. Select Enable Password Synchronization.

To verify that MIIS 2003 is configured to accept passwords from the source Active Directory domain

  1. Log on to the computer running MIIS 2003 with administrative privileges.

  2. Open Identity Manager, on the Tools menu, click Management Agents.

  3. Double-click the Management Agent for Active Directory.

  4. On the Actions menu, click Properties.

  5. Click Configure Directory Partitions.

  6. Verify that the Enable this partition as a password synchronization source check box is selected for each partition that should be configured for password synchronization.

To verify password synchronization configuration in MIIS 2003

  1. Log on to the computer running MIIS 2003 with administrative privileges.

  2. Open Identity Manager, click Tools, and then click Management Agents.

  3. Select a management agent that has been configured as a target.

  4. On the Actions menu, click Properties.

  5. Click Configure Extensions.

  6. Verify that the Enable password management option is selected.

  7. Repeat the previous steps for each management agent that you configured as a target.

Verify the Solution

To further verify the solution, run the following tests. These tests verify that a password change initiated by a user is propagated to selected target connected data sources that are configured for automated password synchronization.

Verify Client Logon

Complete the following procedures to verify that users can initially log on to the client workstations on two different servers with their existing credentials.

To verify that users can log on to the source Active Directory domain

  1. From a client computer with existing user credentials, log on to the source Active Directory domain.

  2. Verify that the logon process completes successfully.

To verify that users can log on to the target connected data source

  1. From a client computer with existing user credentials, log on to the target connected data source.

  2. Verify that the logon process completes successfully.

Verify Password Change Notification

Complete the following procedures to verify that MIIS 2003 receives password change notification.

To change a password using CTRL+ALT+DEL

  1. From a client computer with existing user credentials, log on to the source Active Directory domain.

  2. Press CTRL+ALT+DEL, and then click Change Password to change the user password.

To verify that the password change is captured by PCNS, and then passed to MIIS 2003

  1. From a client computer, log on to the domain controller with administrative privileges.

  2. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  3. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  4. Verify that the following events from Pcnssvc.exe are in the log:

    • 2201 – The password notification was received from the filter.

    • 2302 –The following notification has been sent:

      Thread ID: The ID.

      Tracking ID: The ID of the tracking entry.

      User GUID: The GUID of the user account that originated the password change request.

      User: The user account that originated the password change request.

      Target: The name of the target server.

      Delivery Attempts: The number of delivery attempts.

    • 2100 – The password notification has been delivered to all targets.

    The presence of these events confirms that PCNS delivered the password change to MIIS 2003.

Verify Successful Password Change

Complete the following procedure to verify that the changed password in the source Active Directory domain synchronizes with the passwords in the target connected data sources.

To verify successful password change in the target connected data source

  • Log off from the target connected data source, and then use the new password to log on to it again.

Troubleshoot the Solution

The following troubleshooting tips can help you solve problems you might encounter when you implement the automated password synchronization solution.

Problem Installing PCNS

If you are unable to view containers after installing PCNS on the second of multiple domain controllers, you might have installed PCNS with default administrator privileges. You must be a member of the Domain Admins group.

Problem Updating an Active Directory Schema

If you receive an error during an Active Directory Schema update indicating that you have insufficient privileges, verify that you are a member of both the Domain Admins and Schema Admins groups.

Problem Configuring the SPN

If you receive an error indicating that MIIS 2003 found the SPN on more than one service account, you can use Idifde.exe and the following syntax to determine which accounts have the SPN:

ldifde -faccount.txt-r “{servicePrincipalName=SPNprefix*}" -l "cn,dn,servicePrincipalName

The following list describes the placeholders used in the syntax:

  • accounts.txt – The name and path of the user-specified output file.

  • SPNprefix* – The user-defined prefix specified when you ran Setspn.exe. This Guide uses PCNSCLNT.

Use Setspn.exe and the following syntax to remove a duplicate SPN:

Setspn.exe <SPN to remove> <service account to remove it from>.

For example:

Setspn.exePCNSCLNT/Fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

Problem Logging On from a Client Computer

If a user cannot log on to one or more connected data sources after changing a password, follow these suggestions:

  • Failed password notification from Active Directory to MIIS 2003 – This problem can occur when the network is unavailable or when the server running MIIS 2003 is unavailable. PCNS queues password change notifications locally on the domain controller, and then retries notification according to its retry interval configuration.

  • Failed password synchronization to a target data source – This problem can occur when the network is unavailable or when the target data source is unavailable. MIIS 2003 queues the password change notification and retries password change notification according to the management agent's configuration for retry attempt and retry interval. All passwords are encrypted while they are stored for retry, and they are deleted when the operation succeeds or retry limits are reached.

  • Failed MIIS 2003 server - This problem can occur if the primary server running MIIS 2003 fails. If the primary server running MIIS 2003 fails, you can configure and activate a warm standby server for automated password synchronization with no loss of password changes. For more information, see MIISactivate: Server Activation Tool in MIIS 2003 Help.

Some problems are serious enough that additional password change notification retries are unlikely to solve them. In such cases, MIIS 2003 logs an error event and stops the process. The events in the following table are not retried.

Event Severity Description

6919

Information

The password synchronization set operation was not performed because the timestamp was out of date.

6921

Error

The password synchronization set operation was not performed because password management is not enabled on the target management agent.

6922

Error

The password synchronization set operation was not performed because password management is not configured on the target management agent.

6923

Warning

The password synchronization set operation was not performed because the target connector space object could not be found in the connected data source.

6927

Error

The password synchronization set operation failed because the password does not satisfy the password policy of the target connected data source.

6928

Error

The password synchronization set operation failed because the password extension for the target management agent is not configured to support password set operations.

Additional Resources

For an introduction to automated password synchronization in MIIS 2003, and an overview of this automated password synchronization solution, see the companion document Automated Password Synchronization Solution Guide for MIIS 2003 at https://go.microsoft.com/fwlink/?LinkID=81749.

See Also

Other Resources

Automated Password Synchronization Solution Guide for MIIS 2003