Using Password Synchronization

To use password synchronization, you must configure the Active Directory domain, the management agents that connect to the target data sources to be managed for password synchronization, and the server running Microsoft® Forefront Identity Manager (FIM) 2010 R2. For general information about password synchronization, see Password Management. For a detailed password synchronization Step by Step Guide, see the Microsoft Web site.(http://www.microsoft.com/)

Configuring the domain controller

Install the password change notification service (PCNS)

The PCNS components must be installed on each Active Directory domain controller in the Active Directory domain that is participating in password synchronization. If the PCNS is not installed and running on an Active Directory domain controller, then any password changes that originate on that Active Directory domain controller are not synchronized with FIM. Running the file Password Change Notification Service.msion each Active Directory domain controller installs the following components:

 

Component Installed to folder

Password change notification service (Pcnssvc.exe)

\Program Files\Microsoft Password Change Notification

Password change notification configuration utility (Pcnscfg.exe). For more information, see Pcnscfg: Password Change Notification Service (PCNS) Configuration Utility

\Program Files\Microsoft Password Change Notification

Password change notification filter (Pcnsflt.dll)

%systemroot%\system32

ImportantImportant
During the PCNS installation, the Active Directory schema is verified to ensure that classes and attributes needed to run the PCNS are available. If not, you are prompted to log on as a member of the Schema Admins group, and run the following: MSIEXEC.EXE /i "Password Change Notification Service.msi" SCHEMAONLY=TRUE. This extends the Active Directory schema with object classes and attributes needed to install and configure the PCNS. The schema only needs to be extended once for each Active Directory forest. The schema modifications are replicated to all other domain controllers. These attributes are not configured to be stored in the global catalog or indexed.

The following classes and attributes are added during the schema extension:

Schema Object Classes Added by the PCNS

 

CN ID

MS-MIIS-PCNS-Target

1.2.840.113556.1.5.249

MS-MIIS-PCNS-Service

1.2.840.113556.1.5.250

Schema Attributes Added by the PCNS

 

CN ID

MS-MIIS-PCNS-TargetGUID

1.2.840.113556.1.4.1895

MS-MIIS-PCNS-TargetSPN

1.2.840.113556.1.4.1896

MS-MIIS-PCNS-TargetServer

1.2.840.113556.1.4.1897

MS-MIIS-PCNS-TargetAuthenticationService

1.2.840.113556.1.4.1898

MS-MIIS-PCNS-TargetUserNameFormat

1.2.840.113556.1.4.1899

MS-MIIS-PCNS-TargetKeepAliveInterval

1.2.840.113556.1.4.1900

MS-MIIS-PCNS-TargetDisabled

1.2.840.113556.1.4.1901

MS-MIIS-PCNS-TargetEncryptionKey

1.2.840.113556.1.4.1902

MS-MIIS-PCNS-ServiceMaxQueueLength

1.2.840.113556.1.4.1903

MS-MIIS-PCNS-ServiceMaxQueueAge

1.2.840.113556.1.4.1904

MS-MIIS-PCNS-ServiceMaxNotificationRetries

1.2.840.113556.1.4.1905

MS-MIIS-PCNS-ServiceRetryInterval

1.2.840.113556.1.4.1906

MS-MIIS-PCNS-TargetExclusionSID

1.2.840.113556.1.4.1908

MS-MIIS-PCNS-TargetInclusionSID

1.2.840.113556.1.4.1909

MS-MIIS-PCNS-TargetQueueWarningLevel

1.2.840.113556.1.4.1911

MS-MIIS-PCNS-TargetQueueWarningInterval

1.2.840.113556.1.4.1912

noteNote
If you are installing the PCNS on multiple Active Directory domain controllers, Microsoft Systems Management Server (SMS) can be used to install Password Change Notification Service.msi remotely. For more information, see the Microsoft Web Site. (http://www.microsoft.com/)

Configure the service principal name

After installing PCNS, you will need to configure the service principal name (SPN) for the server running FIM.

ImportantImportant
The SPN cannot be set on a local account, and therefore the FIM Synchronization Service service account must configured as a domain account. To change the FIM Synchronization Service service account from a local account to a domain account, create the domain account, re-run FIM setup in repair mode and specify the new domain account.

The SPN is configured by using setspn.exe, a utility included with the Windows 2000 Resource Kit Tools, and Windows Server 2003 Support Tools on the Windows Server 2003 operating system disk. Setspn.exe can be downloaded from the Microsoft Web Site.(http://www.microsoft.com/).

To set the SPN for the server running FIM, type the following command at the command prompt:

setspn.exe -ASPN prefix/FIMservername Domain\FIMAccount

where:

  • SPN prefix is a user-defined name to indicate that this is a target server for the PCNS, for example "PCNSCLNT"

  • FIMservername is the fully qualified domain name of the server running FIM, for example fab-dev-01.usergroup.fabrikam.com

    ImportantImportant
    FIMservername must be a fully qualified domain name for authentication to be successful.

  • Domain\FIMAccount is the Domain\User Name of the FIM Synchronization Service service account. Although an SPN is usually assigned to a computer account, the SPN is assigned to the FIM Synchronization Service service account for password synchronization.

    noteNote
    The SPN must be unique and cannot appear on any other account or the Kerberos authentication fails and passwords do not flow. If you receive an error indicating that the SPN was found on more than one account, you can determine which accounts the SPN is on by using ldifde.exe:

    ldifde -faccounts.txt-r "(servicePrincipalName=SPNprefix*)" -l "cn,dn,servicePrincipalName"

    where:

    accounts.txt is the name and path of the user-specified output file

    SPNprefix* is the SPN prefix specified when you ran setspn.exe.

Configuring the management agent

  • For each management agent that is a target for password synchronization:

  • Enable password management for that management agent.

  • For file-based and database management agents, specify the password extension name.

  • Determine whether to stop with an error or continue the synchronization if a non-secure connection is detected for the target data source.

  • Configure the time FIM waits before reattempting a failed password operation.

  • Set the maximum number of times that a failed password operation is retried.

For more information about configuring management agents for password synchronization, see Configure Password Management and Specify Rules Extensions.

Configuring Forefront Identity Manager

Configure FIM to receive password events from Active Directory

  • Select which Active Directory partitions to enable as password synchronization sources.

  • Select which management agents are targets for password synchronization events from the Active Directory source, and the maximum number of password changes to process.

    For more information, see Configure Directory Partitions.

Enable password synchronization on FIM

  • For security reasons, password synchronization is not enabled by default. When you enable password synchronization, the RPC server on the server running FIM is started. For more information, see Enable Password Synchronization.

ImportantImportant
If the PCNS is already configured on the Active Directory domain before password synchronization is enabled, password change events could be in the PCNS queue, and can be lost if FIM is not fully configured. Therefore, ensure that all target management agents and sources are configured before enabling password synchronization on FIM.

Diagnostics and maintenance

  • Whenever a password change operation completes, the history is saved in the FIM Synchronization Service database in SQL Server. Because a large number of password change operations can increase the size of the database, it is recommended that you save and clear the password change history on a regular basis to limit performance issues on the server running SQL Server. For information about clearing the password change history, see the FIM Developer Reference.

  • Both FIM and the PCNS use the Application log to record activity and failure events. For learning about password synchronization, it is recommended that you set the logging level to high and monitor the Application log closely during the initial configuration and rollout of password synchronization.

    For FIM, there are four logging levels that are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationServices\Logging

    • 0 = Minimal Logging

    • 1 = Normal logging (default)

    • 2 = High logging

    • 3 = Verbose logging

    For PCNS, there are four logging levels that are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

    • 0 = Minimal Logging

    • 1 = Normal logging (default)

    • 2 = High logging

    • 3 = Verbose logging

    Forefront Identity Manager synchronization events

    Error level 0 events (always logged)

     

    Event Severity Description

    6908

    Error

    The password set operation retry has exceeded the limit.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of the target management agent

    • Target DN: Distinguished name of target user object

    • Target ID: Target object ID

    • RetryCount: Number of retries attempted

    6910

    Information

    Password synchronization has been enabled for FIM.

    6911

    Information

    Password synchronization has been disabled for FIM.

    6912

    Error

    Password notification was received for the account but was not processed because it is the FIM Synchronization Service service account.

    • AccountName: The target account name that the password change was requested for.

    • Reference ID: Reference ID of the password change request

    • Password Last Change Time: The time the password was last changed for the target account.

    • Source Object GUID: The GUID of the user account that originated the password change request.

    • Delivery Attempt

    • Source User Name: The user account that originated the password change request.

    6914

    Error

    The connection from a password notification source failed because it is not a Domain Controller service account.

    • Domain: Name of the source domain where the password change request originated.

    • Server: Name of the source server where the password change request originated.

    6915

    Error

    An error has occurred during authentication to the password notification source.

    6916

    Warning

    FIM has detected that the database has been restored from backup. Password synchronization is disabled on the server running FIM.

    6917

    Error

    A password notification was received but was not processed because the maximum number of changes for this connector space object in a 24-hour period has been reached.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: The GUID of the user account that originated the password change request.

    • Source DN: Distinguished name of the user account that originated the password change request.

    • Source management agent name

    • Maximum changes

    • Current Change

    6921

    Error

    The password synchronization set operation was not processed because password management is not enabled on the target management agent. The operation will not be retried.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of the target management agent

    • Target DN: Distinguished name of target object

    • Target ID: Target object ID

    • RetryCount: Number of retries attempted

    6922

    Error

    The password synchronization set operation was not processed because password management is not configured on the target management agent. The operation will not be retried.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of the target management agent

    • Target DN: Distinguished name of target object

    • Target ID: Target object ID

    • RetryCount: Number of retries attempted

    6924

    Information

    The password queue history operation was completed successfully.

    • Count: Number of entries deleted

    • User: User account that initiated the call

    6925

    Information

    The password queue clear operation was completed successfully.

    • Count: Number of entries deleted

    • User: User account that initiated the call

    6926

    Error

    A password notification was received but could not be processed because the corresponding management agent is not enabled as a password synchronization source, or has no target management agents configured.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: GUID of the user account that originated the password change request.

    • Source DN: Distinguished name of the user account that originated the password change request.

    • Source management agent name

    6927

    Error

    The password synchronization set operation failed because the password does not satisfy the password policy of the target system. The operation will not be retried.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target Object GUID: GUID of the target user object

    • Target DN: Distinguished name of target user object

    • Target management agent name: Display name of target management agent

    • RetryCount: Number of retries attempted

    6928

    Error

    The password synchronization set operation failed because the password extension for the target management agent is not configured to support password set operations. The operation will not be retried.

    • Count: Number of entries deleted

    • User: User account that initiated the call

    Error level 1 events

     

    Event Severity Description

    6901

    Warning

    The password failed to go out to the target management agent.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of target management agent

    • Target DN: Distinguished name of target user object

    • Target ID: Target object ID

    • RetryCount: Number of retries attempted

    6923

    Warning

    The password synchronization set operation was not processed because the target connector space object could not be found in the connected directory. The operation will not be retried.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of target management agent

    • Target DN: Distinguished name of target user object

    • Target ID: ID of the target user object

    • RetryCount: Number of retries attempted

    Error level 2 events

     

    Event Severity Description

    6902

    Information

    The password successfully went out to the target management agent.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of target management agent

    • Target DN: Distinguished name of target user object

    • Target ID: ID of the target user object

    • RetryCount: Number of retries attempted

    6903

    Information

    A password notification was received from the password change notification service.

    • Reference ID: Reference ID of the password change request

    • Password Last Change Time: The time the password was last changed for the target account.

    • Source Object GUID: GUID of the user account that originated the password change request.

    • Delivery Attempt

    • Source User Name: Display name of the user account that originated the password change request.

    6904

    Information

    A password notification was rejected by FIM because it could not be located in the connector space.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: GUID of the user account that originated the password change request.

    6905

    Information

    A password notification was rejected by FIM because the object was not joined to another connector space object through the Metaverse.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: GUID of the user account that originated the password change request.

    • Source DN: Distinguished name of the user account that originated the password change request.

    • Source management agent name

    6906

    Information

    A password notification was rejected by FIM because the management agent that the object resides in has no target management agents specified for password synchronization.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: GUID of the user account that originated the password change request.

    • Source DN: Distinguished name of the user account that originated the password change request.

    • Source management agent name

    6907

    Information

    A password notification was successfully staged in FIM for synchronization.

    • Reference ID: Reference ID of the password change request

    • Target Object GUID: GUID of the target user object

    • Target management agent name: Display name of target management agent

    6913

    Information

    The password notification caller has successfully authenticated as a Domain Controller of the following domain:

    • Domain: Name of the source domain where the password change request originated.

    • Server: Name of the source server where the password change request originated.

    6918

    Information

    A password notification was received but was not processed because the timestamp was out of date. This could be caused by the Domain Controller sending password changes out of order.

    • Last password timestamp: The time the password was last changed on the target account.

    • Current password timestamp: The timestamp of the current password change request.

    • Reference ID: Reference ID of the password change request

    • Source Object GUID: GUID of the user account that originated the password change request.

    • Source DN: Distinguished name of the user account that originated the password change request.

    • Source management agent name

    6919

    Information

    A password synchronization set operation was not performed because the timestamp was out of date. The operation will not be retried.

    • Tracking ID: ID of the tracking entry

    • Reference ID: Reference ID of the password change request

    • Target management agent name: Display name of target management agent

    • Target DN: Distinguished name of target user object

    • Target ID: Target user object ID

    • RetryCount: Number of retries attempted

    Error level 3 events

     

    Event Severity Description

    6909

    Information

    A heartbeat has been received from Active Directory.

    • ServerName

    PCNS events

    Error level 0 events

     

    Event Severity Description

    2001

    Information

    The password change notification service started.

    2002

    Information

    The password change notification service stopped.

    2003

    Information

    A new notification queue has been created.

    2004

    Information

    An existing notification queue was found.

    • n notifications read from disk

    • n notifications expired

    • n notifications have no targets

    • n notifications queued for delivery

    2005

    Information

    The queue size for target targetname has decreased below the configured warning level. There are n notifications queued for this target. The configured queue size warning level for this target is queuesize.

    4001

    Warning

    The configuration was loaded, however, there are no active targets configured. No passwords will be queued.

    4002

    Warning

    The configuration was refreshed. There are no active targets configured. No passwords will be queued.

    4003

    Warning

    The target server has not responded to a password notification. The target server may be busy or not responding. The password change notification service will continue to wait for a response.

    • Thread ID

    • Tracking ID

    • User GUID

    • User

    • Target

    • Delivery Attempts

    4004

    Warning

    The target server has not responded to a status query. The target server may be busy or not responding. The password change notification service will continue to wait for a response.

    • Thread ID

    • Target

    4005

    Warning

    The queue size for target targetname has reached or exceeded the configured warning level. There are n notifications queued for this target. The configured queue size warning level for this target is queuesize.

    6000

    Error

    The configuration information does not exist in Active Directory. The service will stop.

    6001

    Error

    An existing notification queue was found.

    • n notifications read from disk

    • n notifications expired

    • n notifications have no targets

    • n notifications queued for delivery

    The remainder of the queue was corrupt. The file has been saved as file name. A new queue has been created.

    6002

    Error

    The handshake between the password filter and the service failed. The service will stop.

    6004

    Error

    An error occurred translating the user GUID into a valid user name.

    6005

    Error

    An error occurred decrypting the password for object object GUID.

    6006

    Error

    There was an error opening the registry key key name.

    6007

    Error

    Error reading a value from the registry.

    • Key: Name of the key attempted to read

    • Value: Value of the key attempted to read

    • Error: Error returned

    6008

    Error

    There was an error writing a value to the registry.

    Key: Name of the registry key attempted to write to

    Value: Value attempted to write to the registry key

    Error: Error returned

    6009

    Error

    The signature in the notification header is invalid. This notification is being discarded with an Access Denied error.

    6010

    Error

    The SID in the notification structure is invalid. This notification is being discarded with an Access Denied error.

    6011

    Error

    The number of bytes requested from the queue file did not match the number of bytes read.

    • Bytes Requested: n

    • Bytes Read: n

    6012

    Error

    An error occurred seeking at offset n in the queue file.

    6013

    Error

    An error occurred while reading the queue file.

    6014

    Error

    The signature in the queue file header is invalid. The queue file will be renamed and a new one will be created.

    6015

    Error

    The queue file is invalid. The hash length in the queue file header does not match the hash length returned by the Cryptographic Service Provider (CSP). The queue file will be renamed and a new one will be created.

    6016

    Error

    The queue file header is invalid. The queue file will be renamed and a new one will be created.

    6017

    Error

    The queue file entry at offset n is invalid. The queue file will be renamed and a new one will be created.

    6018

    Error

    An error occurred while writing the queue file.

    6022

    Error

    An error was returned from the CryptoAPI.

    6023

    Error

    An error occurred while copying a string value.

    6024

    Error

    The data is very large and cannot be processed. The notification will be discarded.

    • Account: User account that initiated the call

    6025

    Error

    The thread thread id received an RPC exception.

    • Error code: Error description

    • RPC extended error information, if available

    6026

    Error

    This machine is not a domain controller. The password change notification service will stop.

    6027

    Error

    The service failed to create an RPC binding for target target name. The target is being disabled. Password changes will not be queued for this target.

    • Thread ID: ID

    6028

    Error

    A target thread terminated unexpectedly. The service will shutdown.

    6029

    Error

    There are more than 50 targets configured in Active Directory, which exceeds the maximum supported by the service. The service will stop.

    6030

    Error

    The PCNS configuration container has been deleted from Active Directory. The service will stop.

    6031

    Error

    The service was unable to open the queue for target target name. The thread will stop.

    Thread ID: ID

    6035

    Error

    The registry value value is not defined as type registry type. This value will be ignored and the default value value will be used.

    7000

    Error

    An unexpected error occurred.

    • Error code: Error description

    Error level 1 events

     

    Event Severity Description

    2100

    Information

    The password notification has been delivered to all targets.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: User account that initiated the call

    • Targets: list of target servers

    2101

    Information

    Target target name is disabled. Password changes will not be queued for this target.

    2102

    Information

    Target target name is enabled. Password changes will be queued for this target

    2103

    Information

    The configuration for Target target name has been deleted. n pending notifications have been updated to remove this target from the list.

    2104

    Information

    The password change notification service is stopping.

    2105

    Information

    The password change notification service is starting.

    2106

    Information

    The service configuration has changed. The new configuration is listed below.

    • Maximum Queue Length: maximum number of password changes that can be stored. Unlimited = 0

    • Maximum Queue Age: maximum time, in seconds, a password changes can remain in the queue before being discarded. Unlimited = 0.

    • Maximum Notification Retries: maximum number of attempts to notify the target server. Unlimited = 0

    • Retry Interval: how often, in seconds, a failed notification will be retried. An integer from 10-3600.

    2107

    Information

    The connection information for target target name has changed. The new connection information is listed below.

    • Server: server address

    • Service Principal Name: SPN

    • Authentication Service: Kerberos

    4100

    Warning

    The password notification could not be delivered to all targets.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Successful Targets: target list

    • Failed Targets: target list

    4101

    Warning

    The Active Directory object for account accountname could not be found. This can happen if the account was deleted after the password was set, but before the password notification was received by the service.

    Error level 2 events

     

    Event Severity Description

    2201

    Information

    The password notification was received from the filter.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Targets: list of targets

    2202

    Information

    The target target name requested a delay in notifications of n seconds. All notifications to this target will be delayed until time.

    4200

    Information

    This password notification has exceeded the retry limit for the target.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Target: target name

    4201

    Information

    There are no active targets configured. The following password notification will not be queued for delivery.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    4202

    Information

    While loading the queue file from disk, all targets scheduled for the following password notification have been disabled or deleted from the configuration. This notification is being discarded.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    4203

    Information

    While refreshing the server configuration, all targets scheduled for the following password notification have been disabled or deleted from the configuration. This notification is being discarded.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    4204

    Information

    While refreshing the server configuration, the following password notification has expired or exceeds the configured maximum queue length. This notification is being discarded.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    4205

    Information

    While loading the queue file from disk, the following password notification has expired. This notification is being discarded.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    4206

    Warning

    The target target name requested an invalid delay in notifications of n seconds. The delay has been adjusted to n seconds. All notifications to this target will be delayed until time.

    4207

    Warning

    The target target name requested a negative delay in notifications of n seconds. This will be ignored and notifications will continue at the current retry or keep-alive interval.

    4208

    Warning

    The following password notification has expired or exceeds the configured maximum queue length. This notification is being discarded.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    Error level 3 events

     

    Event Severity Description

    2300

    Information

    A thread has been started to send notifications to target target name.

    2301

    Information

    The thread for target target name has stopped

    2302

    Information

    The following notification has been sent.

    • Thread ID: ID

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Target: Name of the target server

    • Delivery Attempts: n

    2303

    Information

    The password notification security filter has blocked the following notification.

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Target: Name of the target server

    4301

    Warning

    A negative acknowledgement was received for the following notification:

    • Thread ID: ID

    • Tracking ID: ID of the tracking entry

    • User GUID: The GUID of the user account that originated the password change request.

    • User: The user account that originated the password change request

    • Target: Name of the target server

    • Delivery Attempts: n

  • FIM also records password change information for auditing purposes. These audit logs are exposed through the WMI interface. For information about password management and WMI, see the FIM Developer Reference.

Show: