Resources For IT Professionals

United States (English) Drop down arrow

Drop down arrow

Россия (Pусский)中国（简体中文）Brasil (Português)

Post an article

Wikis - Page Details

First published by Tim Macaulay (Microsoft)
When: 12 Mar 2012 7:56 AM
Last revision by Tim Macaulay (bMicrosof)
When: 14 Apr 2013 8:49 AM
Revisions: 5
Comments: 1

Options

Subscribe to Article (RSS)

Can You Improve This Article?

Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.

Troubleshooting: Not able to create enabled Active Directory accounts because Kerberos Issues

Troubleshooting: Not able to create enabled Active Directory accounts because Kerberos Issues

PROBLEM

In a recent case, we were attempting to create Active Directory User Accounts. The Active Directory User object would be created, but disabled. Attempting to enable the account in Active Directory prompts us with a message pertaining to the password not being set.

We are setting the password on new objects via UnicodePwd. This is a static value. So we are concerned as to what the problem actually is here.

CAUSE

A review of a network trace indicated an error with KPASSWD call that failed.

KDC_ERR_S_PRINCIPAL_UNKNOWN (Service Principal Unknown)

RESOLUTION

In this case, we discovered that one of the Windows Server 2008 Domain Controllers was not at Service Pack 1. We upgraded that domain controller to Service Pack 1 and then tested the export and all is well.

SEE ALSO

Current Forefront Identity Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/forefront-identity-manager-resources.aspx
Current Certificate Lifecycle Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/current-certificate-lifecycle-manager-resources.aspx
Current GalSync Resources: http://social.technet.microsoft.com/wiki/contents/articles/1726.global-address-list-synchronization-galsync-resources.aspx
Current PCNS – Password Synchronization Resources: http://social.technet.microsoft.com/wiki/contents/articles/2762.pcns-password-synchronization-resource-wiki.aspx
Extension-DLL-Exception Resources: http://social.technet.microsoft.com/wiki/contents/articles/7515.sync-extension-dll-exception.aspx

ADMA CANNOT CREATE ACCOUNTS, ADMA KDC_ERR_S_PRINCIPAL_UNKNOWN, ADMA RESOURCES, ADMA TROUBLESHOOTING, ADMA TROUBLESHOOTING ARTICLE, FIM, FIM Troubleshooting Article, FIM-HELP, FIM-HELP ACTIVE DIRECTORY MANAGEMENT AGENT, FIM-HELP ADMA, FIM-HELP ADMA CANNOT CREATE ACCOUNTS, FIM-HELP ADMA KDC_ERR_S_PRINCIPAL_UNKNOWN, FIM-HELP KDC_ERR_S_PRINCIPAL_UNKNOWN, FIM-HELP RESOURCES, FIM-HELP TROUBLESHOOTING, KDC_ERR_S_PRINCIPAL_UNKNOWN, MIISILMFIM_MACAULAY [Edit tags]

Leave a Comment

Please add 7 and 8 and type the answer here:
Post

Wiki - Revision Comment List(Revision Comment)

| |

Comments

Tim Macaulay

12 Mar 2012 8:17 AM

Tim Macaulay edited Original. Comment: added the see also section
- Edit

Wikis - Comment List

| |

Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.

Comments

Posted by Tim Macaulay

on 12 Mar 2012 8:17 AM

Tim Macaulay edited Original. Comment: added the see also section
Edit