Solved

FIM 2010 Password Synchronization Error 6025

Posted on 2014-07-30
2
775 Views
Last Modified: 2014-10-22
I am running FIM 2010 to sync passwords between two forests. I think I have everything configured properly, Yet, I am still getting an 6025 error. I've read dozens of articles and forum posts on this error but nothing seems to work. I'll paste the full text of that error at the bottom. There is a two way Forest level trust. The FIM server is running in the target forest and PCNS is running in the source forest. The "Forefront Identity Manager Synchronization Service" is running under the AD account target\FIMSynchronization.

In the target forest AD domain functional and forest level is 2008. PCNS is not installed on any DC in the target forest. I used this setspn command:

setspn.exe -A PCNSCLNT/FIM2010.target.priv target\FIMSynchronization

Open in new window


In the source forest AD domain functional level is 2008 and the forest level is 2003. PCNS is installed on all AD servers. I used the following pcnscfg command which points to the FIM server in the target forest and uses a security group from the source forest:

pcnscfg ADDTARGET /N:FIM2010 /A:FIM2010.target.priv /S:PCNSCLNT:FIM2010.target.priv /FI:"source\PasswordSyncUsers-source" /f:3

Open in new window


In FIM2010 under Tools/Options password sync is enabled. On the AD_Source MA in "Configure Directory Partitions" the "Enable this partition as a password synchronization source" is checked and the target is set to AD_Target MA. On the AD_Target MA under "Configure Extensions" "Enable Password Management" is checked.

I have verified there are no duplicate PCNSCLNT SPNs in the target forest and there are no PCNSCLNT SPNs in the source forest.

I can ping the FIM server in the target forest from a DC in the source. DNS is configured properly on both sides.

In the source forest the pcnscfg -list command yeilds:

Targets
  Target Name...........: FIM2010
  Target GUID...........: B690C791-5C91-4885-A053-279015BF2206
  Server FQDN or Address: FIM2010.target.priv
  Service Principal Name: PCNSCLNT:fim2010.target.priv
  Authentication Service: Kerberos
  Inclusion Group Name..: source\PasswordSyncUsers-source
  Exclusion Group Name..:
  Keep Alive Interval...: 0 seconds
  User Name Format......: 3
  Queue Warning Level...: 0
  Queue Warning Interval: 30 minutes
  Disabled..............: False

Total targets: 1

On the FIM2010 server the command setspn -L target\fimsynchronization yeilds:

Registered ServicePrincipalNames for CN=FIM Synchronization,OU=FIM2010,OU=Service Accounts,DC=target,DC=priv:
        PCNSCLNT/fim2010.target.priv

From the source forest if I run setspn -l target.priv\fimsynchronization I get:

Registered ServicePrincipalNames for CN=FIM Synchronization,OU=FIM2010,OU=Service Accounts,DC=target,DC=priv:
        PCNSCLNT/fim2010.target.priv

If I run the same command but leave off the .priv from the domain as below, I get an ldap error.
setspn -l target\fimsynchronization
Ldap Error(0x51 -- Server Down): ldap_open

Applog Error: Event 6025, PCNSSVC

Password Change Notification Service received an RPC exception attempting to deliver a notification. 

The password change notification target could not be authenticated.

User Action:
This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.

Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.

Additional Details:

Thread ID: 1924 
Tracking ID: fa091d02-cc5a-4de1-98a2-29053b30578b 
User GUID: 78f79eef-3b34-4e28-8010-97b3ee19c894 
User: HCESC\kelley.hccatest 
Target: FIM2010 
Delivery Attempts: 1239 
Queued Notifications: 2 
0x00000721 - A security package specific error occurred.
 
ProcessID is 3684
System Time is: 7/27/2014 21:26:42:740
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 3684
System Time is: 7/27/2014 21:26:42:740
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1461
Flags is 0
NumberOfParameters is 0

ProcessID is 3684
System Time is: 7/27/2014 21:26:42:740
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 141
Flags is 0
NumberOfParameters is 1
Long val: -2146893053

ProcessID is 3684
System Time is: 7/27/2014 21:26:42:740
Generating component is 3
Status is -2146893053 - The specified target is unknown or unreachable
Detection location is 140
Flags is 0
NumberOfParameters is 4
Long val: 16
Long val: 6
Unicode string: PCNSCLNT:fim2010.hccanet.priv
Long val: 68126

Open in new window

0
Comment
Question by:hcca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 40397325
Hello,

You have an error in command to add the target.

pcnscfg ADDTARGET /N:FIM2010 /A:FIM2010.target.priv /S:PCNSCLNT:FIM2010.target.priv /FI:"source\PasswordSyncUsers-source" /f:3

should be:

pcnscfg ADDTARGET /N:FIM2010 /A:FIM2010.target.priv /S:PCNSCLNT/FIM2010.target.priv /FI:"source\PasswordSyncUsers-source" /f:3
                                 
                                 
-JJ
0
 

Author Closing Comment

by:hcca
ID: 40397942
Jamie McKillop you are a Godsend! I'm so ashamed to have missed that detail. I also found that I had two targets configured in the source domain and once these two issues were resolved all password changes are now flowing. I wish I had more points to award!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question