Hi All,
We're running in to issues attempting to sync passwords between two domains that appears to be related to a kerberos timeout following an FIM 2010 to MIM 2016 upgrade.
We manage the domain in which MIM 2016 is configured (CORP) and have an MA configured for the domain (EXT) we're pushing passwords to and everything works perfectly well for a couple of hours then it begins to fail. Originally the issue was reported as being intermittent but after some investigation I've found the following:
After providing credentials for the service account selecting "Connect to Active Directory Forest" or selecting "Containers" from within the "Configure Directory Partitions" password sync begins to work immediately.
Testing password resets through the day works without issue.
Testing the following morning fails to reset the password on the target domain.
Providing credentials again resolves the issue immediately.
Each time I provide the credentials in the MIM console the following 2 events are logged on the server (CORP):
Security-Kerberos
Error code: 0x20 KRB_AP_ERR_TKT_EXPIRED
Extended Errpr: "0xc0000133 KLIN(0)"
Server Realm: EXT.FQDN
Security-Kerberos
A kerberos error message was received" on logon session CORP.FQDN\SVC_FIMSync
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Server Realm: EXT.FQDN
I'm aware the first error indicates a potential issue with time sync between the two domains but we've had a look at this and results show a difference of +/- 00.000xxxx so don't believe this is the cause.
Has anyone ever come across a similar issue?
Any help is appreciated.
We're running in to issues attempting to sync passwords between two domains that appears to be related to a kerberos timeout following an FIM 2010 to MIM 2016 upgrade.
We manage the domain in which MIM 2016 is configured (CORP) and have an MA configured for the domain (EXT) we're pushing passwords to and everything works perfectly well for a couple of hours then it begins to fail. Originally the issue was reported as being intermittent but after some investigation I've found the following:
After providing credentials for the service account selecting "Connect to Active Directory Forest" or selecting "Containers" from within the "Configure Directory Partitions" password sync begins to work immediately.
Testing password resets through the day works without issue.
Testing the following morning fails to reset the password on the target domain.
Providing credentials again resolves the issue immediately.
Each time I provide the credentials in the MIM console the following 2 events are logged on the server (CORP):
Security-Kerberos
Error code: 0x20 KRB_AP_ERR_TKT_EXPIRED
Extended Errpr: "0xc0000133 KLIN(0)"
Server Realm: EXT.FQDN
Security-Kerberos
A kerberos error message was received" on logon session CORP.FQDN\SVC_FIMSync
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Server Realm: EXT.FQDN
I'm aware the first error indicates a potential issue with time sync between the two domains but we've had a look at this and results show a difference of +/- 00.000xxxx so don't believe this is the cause.
Has anyone ever come across a similar issue?
Any help is appreciated.