FIM Troubleshooting: Provisioning users to AD returns Kerberos-no-logon-server

 

PROBLEM STATEMENT

Utilizing a Metaverse Rules Extension to provision users from SQL Server to Active Directory.  The Provisioning code and configuration worked successfully in a test environment.  In production the Active Directory Users are getting created.  However, the Active Directory User is getting created in a disabled state.  Review of the Synchronization Service Engine for the Active Directory Management Agent (ADMA) export displays a KERBEROS-NO-LOGON-SERVER error for each user provisioned.

Export Errors: http://msdn.microsoft.com/en-us/library/windows/desktop/ms696483(v=vs.100).aspx

Kerberos-no-logon-server

An attempt is made to set or change a password attribute, and the management agent cannot resolve a server for the domain part of the logon credentials. This generally means there is a NetBIOS or DNS misconfiguration. This error is returned by the Active Directory management agent or the global address list synchronization management agent.

 

TROUBLESHOOTING

• We ruled out management agent user account permissions; even as a domain administrator the provisioning failed.
• Verified the configuration for the AD MA connection settings
• Ruled out name resolution since the account provisions just without the password.
• Gathered a Network Trace ( Download Network Monitor 3.4 )

INFORMATION

• When provisioning a user with a password Kerberos port 464 comes into play. The sync engine connects to 464 to set the password. This port is also used for PCNS.
• To understand my issue we need to understand how TCP works. All we need to know is the three-way-handshake TCP uses to setup communication over a port.
  • We first send a SYN to the target for the desired port.
  • The target responds with an ACK and SYN packet.
  • We ACK the target response.

NETWORK TRACE INFORMATION

Successful TCP Session

Three packets and the session is setup. Here's what a successful TCP session to TCP port 88 appears in Network Monitor.

https://microsoft.sharepoint.com/teams/iamsupport/iamblog/Lists/Photos/041113_1324_ADprovision1.png

In the case where the Active Directory user is created, but disabled because the password is not set correctly we can see a TCP Session with SyncReTransmit when attempting to access Kerberos port 464. 

https://microsoft.sharepoint.com/teams/iamsupport/iamblog/Lists/Photos/041113_1324_ADprovision2.png

ADDITIONAL INFORMATION

• Not able to create enabled Active Directory Accounts: http://social.technet.microsoft.com/wiki/contents/articles/8111.troubleshooting-not-able-to-create-enabled-active-directory-accounts.aspx