"Unable to establish a session with the password export server. Either the currently logged on user does not have sufficient permissions to call the Password Export Server or the account that the Password Export Server Service is running under does not have sufficient permissions on the target domain controller. Verify that the logged on user is a member of the Administrators group in the source domain and that the Password Export Server Service account can change passwords of user accounts in the target domain."
Well after a few hours of working with Microsoft Support, we figured out the issue was due to PAC Validation and that we needed to make registry change on the source DC running the Password Export Server.
Here is the registry change:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"ValidateKdcPacSignature"=dword:00000000
No comments:
Post a Comment