none
Accessing FIM Portal from untrusted domain?

    Question

  • We have built out a development environment for FIM 2010 R2 product which is in its own DEV Domain:

    The DEV domain (DEVDomain) has no trust relationship to Production domain (PRODDomain). The DEV domain is on the Production network and accessible by FQDN.

    So far everything seems to work perfectly fine with the FIM web-services and the portal as long as your accessing the Portal from a workstation that is domain joined to DEV. If I use a workstation domain join to Prod, sharepoint then prompts me for credentials in which I can enter a credential for a user in the DEV domain and SharePoint will then let me in. It is at this point however any attempts using the FIM Portal will result in a "The request for security token could not be satisfied because authentication failed. "

    I am assuming Sharepoint lets me in due to NTLM authentication, but why doesn't the FIM Web Services behave the same?

    I can also access the FIM Web Services via the ResourceManagement Client from the PROD Domain if I explicitly pass a credential from DEV to the client.

    Is it possible to access the FIM Portal from a workstation that is not in the same domain as the FIM Portal? Even with NTLM authentication? Am I missing a configuration to make this possible?

    mercredi 10 avril 2013 18:52

Réponses

  •  If the FIM Web Services are hosted on Server1, not sure if that attribute should contain something like "HTTP/Server1" or "FIMService/Server1"

    It needs to be filled with FIMService/fimservername.  FIMService is the service name of the ResourceManagement server on :5725.

    Steve Kradel, Zetetic LLC

    jeudi 11 avril 2013 18:04

Toutes les réponses

  • You're on the right track -- it's probably failing because the Sharepoint app pool account can only delegate to the FIM Service using Kerberos Constrained Delegation as documented in the FIM install guide if your original authentication was Kerberos.  It is possible to allow protocol transition, although in my experience this is rather slow for the FIM Portal's case.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    mercredi 10 avril 2013 18:59
  • Thanks for the quick response! I'm wondering if its possible to configure either the Portal or the Web Services for use of NTLM? Although part of my problem is understand the Authentication differences between NTLM and Kerberos

    mercredi 10 avril 2013 19:14
  • Using ADUC, on the Sharepoint app pool account's Delegation tab, switching from "Use Kerberos only" to "Use any authentication protocol" will make things work--somewhat slowly--if users have authenticated to the FIM Portal via NTLM.

    That said, I doubt Microsoft supports such a configuration, and it would generally be better to get users into the FIM Portal with Kerberos.  Perhaps your environment lacks only a name suffix routing entry...


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    mercredi 10 avril 2013 19:33
  • Using ADUC, on the Sharepoint app pool account's Delegation tab, switching from "Use Kerberos only" to "Use any authentication protocol" will make things work--somewhat slowly--if users have authenticated to the FIM Portal via NTLM.

    That said, I doubt Microsoft supports such a configuration, and it would generally be better to get users into the FIM Portal with Kerberos.  Perhaps your environment lacks only a name suffix routing entry...


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Thanks! I will give that a try and see if it works. I don't think I can use Kerberos to access DEV from PROD domain due to FIM being on an untrusted domain

    mercredi 10 avril 2013 20:33
  • Interesting in that the UI for ADUC makes you specify hosts for constrained delegation when setting it to "Use any authentication protocol".

    I'm not sure how they goes into play with SPN's. Do I need the SPN's and the name of the machine for constrained delegation (i.e. FIMService)

    It seems to have set a msDS-AllowedToDelegateTo with what looks like SPNs. If the FIM Web Services are hosted on Server1, not sure if that attribute should contain something like "HTTP/Server1" or "FIMService/Server1"

    jeudi 11 avril 2013 17:56
  •  If the FIM Web Services are hosted on Server1, not sure if that attribute should contain something like "HTTP/Server1" or "FIMService/Server1"

    It needs to be filled with FIMService/fimservername.  FIMService is the service name of the ResourceManagement server on :5725.

    Steve Kradel, Zetetic LLC

    jeudi 11 avril 2013 18:04
  • Thanks for your help! That seems to work. The solution was what you said with setting the Sharepoint Service App Pool account to use any authentication protocol to the fimservice account in AD.
    lundi 15 avril 2013 19:33