PCNS: Password Synchronization using a one way external/forest trust with Selective Authentication
Note
While you might be able to get the solution outlined in this article to work, it is important to note that it is based on a setup that is not officially supported by Microsoft.
To be supported in production, a two-way trust is required for a solution that includes PCNS.
The article describes using an external trust with Kerberos Forest Search Order (KFSO). This is not working reliably when you have a trusting forest with multiple domains, and may introduce additional problems as side-effects. We strongly recommend you are using a forest trust for this solution.
Introduction
A lot clients who want to use PCNS to synchronize passwords between two forests using selective authentication.
The good news is ... it is possible, reasonably simple and below we will show you how it's done.
First let me explain what the difference is between domain-wide and selective authentication:
- With Domain-wide authentication users from the trusted domains will automatically have access to the resources in the trusting domain.
- With Selective authentication users from the trusted domain need to be granted the specific rights to access resources in the trusting domain. This means that Selective Authentication is much more secure than domain-wide authentication, but also needs permissions to be explicitly granted to the relevant resources that access is required for.
What you need
A one way external/forest trust with the forest/domain running PCNS needs to be trusted by the forest/domain running, My setup it looks as follows:
http://1.bp.blogspot.com/-TG33iIGMKWc/Uj2y8uXFhKI/AAAAAAAAAEo/977f_Kx7BLc/s320/Setup.png
PCNS Installed and configured on the domain controllers running in the trusted domain.
Relevant firewall rules in place to allow PCNS traffic between the trusted and trusting domains. Please refer to this article section "Active Directory Domain Services" for information on the port needed: KB832017
On Windows 2012 you will need to initially setup the trust as domain-wide in order to setup the permissions. Once they are configured you can change the trust back to selective authentication. On Windows 2008 it will prompt you to authenticate in order to assign the permissions.
Name resolution working between the two forests. This can either be via conditional forwarders or by creating a secondary zone for each forest on the opposing forest.
Domain Admin access to the trusting domain in order to assign the permissions and change the required group policies.
Domain Admin access to the trusted domain to lookup user and computer object in the trusted domain and change the required group policies.
You will notice that I use the domain controllers group in place of the machine accounts of the domain controllers for obvious reasons.
How it is done
1. Trust
Setup the trust as specified.
http://1.bp.blogspot.com/-CuD_yGV1LZo/Uj2y9DryNLI/AAAAAAAAAE8/PWSh1_btKt8/s320/Trust1.png
http://1.bp.blogspot.com/-HGl4NOjGNwc/Uj2y9oE-o_I/AAAAAAAAAFM/8pmkQg0-U_w/s320/Trust3.png
http://4.bp.blogspot.com/-tV_UkdgPTco/Uj2y-PHGXEI/AAAAAAAAAFE/SHGk15adFF0/s320/Trust4.png
2.Trusting Domain
Active Directory Users and computers tasks
a. Setup Allowed to Authenticate Permission on the domain controllers
(This will need to be completed on all domain controllers that are resolvable for the domain in DNS. This can also be scripted for larger environments. You can also limit the dns records resolvable to reduce the servers the permission needs to be applied to )
Open ADUC by running DSA.msc
Navigate to the Domain Controllers OU . (Note: Please ensure that the "Advanced Features" option is enabled under view, in order to access the security tab)
Setup the permission in the Advanced Permissions dialog as below to inherit to descendent computer objects
(This is required for the trusted domain controllers to authenticate to the trusting domain controllers to query SPN's and permission).
Navigate to the FIM Synchronization Server and repeat the same permission
http://1.bp.blogspot.com/-l2OhD--cC2g/Uj2y-l_pBAI/AAAAAAAAAFU/qYPW0SSkwj0/s320/permission2.png
(This is required for the trusted domain controllers to authenticate to the FIM Synchronization Server).
? Navigate to the FIM Synchronization Server service account and repeat the same permission.
http://4.bp.blogspot.com/-qzQANl4o8RA/Uj2y-9Gx_TI/AAAAAAAAAFw/a8NmkNHuy0U/s320/permission3.png
(This is required for PCNS on the trusted domain DC's complete to request a context change once the initial RPC bind is established which took me a while and a whole lot on netmon packets to figure out)
Group Policy Management Tasks
Open GPMC.msc on the domain controller
Open GPMC.MSC
Navigate to the "Default Domain Controllers Policy " and right click and select edit.
Navigate to Computer Configuration,
Navigate to Windows Settings
Navigate to Security Settings
Navigate to User Rights Assignment
Navigate to the "Access this computer from the Network" Policy"
http://1.bp.blogspot.com/-hGah-nwfh-k/Uj2y6vD7wfI/AAAAAAAAAEQ/xz_Mf-xh54w/s320/Policy1.png
Add the Trusted domain Domain Controllers group to the list of accounts
http://3.bp.blogspot.com/-v-g3PbgO0RE/Uj2y66pjgyI/AAAAAAAAAEI/RUdG-ufPE-o/s320/Policy2.png
Local Policy Tasks
Log into the FIM Synchronization Server as an Administrator
Open local computer group policy by running "gpedit.msc"
Navigate to Computer Configuration,
Navigate to Windows Settings
Navigate to Security Settings
Navigate to User Rights Assignment
Navigate to the "Access this computer from the Network" Policy"
http://4.bp.blogspot.com/-OjPMjhFbFa8/Uj2y7SyuQfI/AAAAAAAAAEM/R4rIZNTyxcU/s320/Policy3.png
Add the Trusted domain Domain Controllers group to the list of accounts
http://2.bp.blogspot.com/-RGG6c0m2YD0/Uj2y8PANIVI/AAAAAAAAAEk/zw2MMY_3bAQ/s320/Policy4.png
3. Trusted Domain
Group Policy Management Tasks
You can skip these steps when you are using a forest trust. It is recommended to configure PCNS with the FQDN name of the FIM server it reports to. In this case, the standard SPN suffix routing will make sure the Kerberos Ticket requests are routed correctly.
Open GPMC.msc on the domain controller
Open GPMC.MSC
Navigate to the "Default Domain Controllers Policy " and right click and select edit.
Navigate to Computer Configuration,
Navigate to Administrative Templates
Navigate to System
Navigate to Kerberos
Navigate to the "Use forest search order" Policy"
http://1.bp.blogspot.com/-v56705Eo_pg/Uj2y8UyH0xI/AAAAAAAAAEg/rqjAhOx4Fog/s320/Policy5.png
Add the Trusting Domain to the list of Forests to Search for SPN's.
(This is needed for the trusted domain to be able to resolve SPN's in the Trusting domain where the SPN for the FIM synchronization server service account is located- thanks Jorge for this one .. http://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-external-trust-is-it-possible-part-6).
And there we are ..ready to test.
Ready to test
Check the Service Configuration
http://2.bp.blogspot.com/-XyToTcMl_II/Uj23iVaBjkI/AAAAAAAAAF4/3o1uvLvz2N4/s400/pcnscfg.png
Reset the user password
http://2.bp.blogspot.com/-wJ3sBy5zRBU/Uj2y_GTLSEI/AAAAAAAAAFg/oq-op1TARXA/s1600/test1.png
Verify that the password was successfully delivered
http://4.bp.blogspot.com/-QlRhfxj-ld4/Uj2y_5t3EkI/AAAAAAAAAFs/eSwE-hnF86g/s640/test2.png
Check this against AD ... and voila
http://3.bp.blogspot.com/-HGKdjFcxdnk/Uj24NNXFuII/AAAAAAAAAGA/51vmE6accBA/s400/adverified.png
All working!!
References
- Originally published at: http://theidentityguy.blogspot.com.au/2013/09/password-synchronization-with-pcns.html
- Jorge's Quest For Knowledge!- Reference for Expanding SPN forest search scope
- Pcnscfg: Password Change Notification Service (PCNS) Configuration Utility
- How to configure a firewall for domains and trusts