FIM/ILM Troubleshooting: Not able to create enabled Active Directory accounts because Kerberos Issues
PROBLEM
In a recent case, we were attempting to create Active Directory User Accounts. The Active Directory User object would be created, but disabled. Attempting to enable the account in Active Directory prompts us with a message pertaining to the password not being set.
We are setting the password on new objects via UnicodePwd. This is a static value. So we are concerned as to what the problem actually is here.
CAUSE
A review of a network trace indicated an error with KPASSWD call that failed.
KDC_ERR_S_PRINCIPAL_UNKNOWN (Service Principal Unknown)
RESOLUTION
In this case, we discovered that one of the Windows Server 2008 Domain Controllers was not at Service Pack 1. We upgraded that domain controller to Service Pack 1 and then tested the export and all is well.
SEE ALSO
- Current Forefront Identity Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/forefront-identity-manager-resources.aspx
- Current Certificate Lifecycle Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/current-certificate-lifecycle-manager-resources.aspx
- Current GalSync Resources: http://social.technet.microsoft.com/wiki/contents/articles/1726.global-address-list-synchronization-galsync-resources.aspx
- Current PCNS – Password Synchronization Resources: http://social.technet.microsoft.com/wiki/contents/articles/2762.pcns-password-synchronization-resource-wiki.aspx
- Extension-DLL-Exception Resources: http://social.technet.microsoft.com/wiki/contents/articles/7515.sync-extension-dll-exception.aspx