0

I have two domains with a two-ways trust relationship (selective authentication). Microsoft Identity Manager is installed, configured and "Password Change Notification Service" is configured and properly delivers password changes with RPC requests to the target FIMSyncronization Service (Kerberos authentication also working properly).

Two AD management agents are configured in MIM: One for the "source" domain and another one for the "target" domain.

Which attributes and join/projection rules need to be configured in order to allow password synchronization on "source" agent and "target" agent?

Official documentation is unclear on that matter and all examples on the Web don't give any hints regarding needed rules/attributes/mapping for password Synchronization.

Plus 'unicodePwd' attribute is write only in Active Directory and there doesn't seem to be any relevant attribute in Metaverse to store this password hash.

donmelchior
  • 103
  • 5

1 Answers1

0

Typically, you would have a projection rule in your source MA to generate an object in the metaverse along with at least one import attribute flow to an indexed attribute - say sAMAccountName, employeeID, etc.

You would also have one join rule in your target MA, to link the target accounts to the metaverse objects created by your source MA.

Once the accounts are linked and the password synch service is notified of a new password, the password will be sent over to the target without any need for additional attribute flows.

Francois
  • 1