Tuesday, February 12, 2013 3:30 AM
Assuming we have SSPR configured and working. In addition we have PCNS deployed and Rules Extensions written to replicate a password from AD to a 3rd party application. This allows a person to log into the 3rd party application via a web console (the username & password are stored in a local database as replicated by FIM).
If the AD user account is either disabled, locked out or expired I am assuming the user will NOT be able to log into the SSPR Portal to reset their password...which in turn means that no new password will be replicated to this 3rd party application.
Is the above correct? i.e. must the AD account be enabled for all SSPR and PCNS funcitonality to work correctly?
- Edited by S.Kwan Tuesday, February 12, 2013 3:58 AM
Tuesday, February 12, 2013 6:49 AMFor account locked out SSPR can reset and unlock an account or this can be done in a workflow. I have not checked these scenarios but knowing how SSPR works - if user account is disabled or expires SSPR should still work for this account as this isn't a user who is performing password reset - it is FIM Service. User however will not be able to log on to AD anyway, but password should flow to you 3'rd party system
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
Tuesday, February 12, 2013 12:19 PMThere should be an options to Unlock the account on the AD MA when pwdresets are done. Enabling an account is a different scenario and basically has nothing to do with a pwdreset. That is, as Tomasz, writes a different workflow as expiring and/or enabling and disabling accounts different follows other rules.
However, password changes are done in AD, PCNS will grab that and replicate to connected systems - so no problem there.
Regards, Soren Granfeldt
blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt