none
FIM for just SSPR RRS feed

  • Question

  • I have an environment with two FIM servers - SSPR reset/registration hosted in one and the rest of sync, fim service, sharepoint foundation installed in the other. The database is hosted in a third server.

    The goal is to use FIM for just SSPR. I was following the guidelines as presented in http://technet.microsoft.com/en-us/library/hh826057(v=ws.10).aspx. But this has a different scenario where a user is created in FIM and then provisioned in AD. I didn't get much info from SSPR deployment guide.

    I need FIM to just SSPR for users in AD. How do I modify the ADMA, FIMMA and MPRs to accomplish just this? I don't want FIM to make any changes in AD except for password reset and I don't want FIM to import anything other than first name, last name, sAMAccountname, display name, objectsid, and description to metaverse from AD (I am assuming the users need to be imported to metaverse first).

    Any insights would be highly appreciated. Thanks!

    Monday, December 8, 2014 9:36 PM

Answers

  • I haven't used it, but take a look at the quick start tool:

    http://technet.microsoft.com/en-us/library/jj134297%28v=ws.10%29.aspx

    • Proposed as answer by Shim Kwan Tuesday, December 9, 2014 2:20 AM
    • Marked as answer by HuckleberryFinn Wednesday, December 10, 2014 8:36 PM
    Tuesday, December 9, 2014 12:44 AM
  • Quick Start tool will configure metaverse for you so you would have flows from AD to FIM with all required parameters and some additional (DisplayName and Description are a part of that as far as I remember).

    You would need to configure MPRs yourself:

    1. Anonymous users can reset their password
    2. Password reset users set can read password reset objects
    3. Password Reset Users can update the lockout attribute of themselves
    4. User management: Users can read attributes of their own
    5. General: Users can read non-administrative configuration resources
    6. Administration: Administrators can read and update Users

    All tasks that needs to be done (other than running quickstart tool) are described here:

    Configure Self-Service Password Reset


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Tuesday, December 9, 2014 7:21 AM

All replies

  • I haven't used it, but take a look at the quick start tool:

    http://technet.microsoft.com/en-us/library/jj134297%28v=ws.10%29.aspx

    • Proposed as answer by Shim Kwan Tuesday, December 9, 2014 2:20 AM
    • Marked as answer by HuckleberryFinn Wednesday, December 10, 2014 8:36 PM
    Tuesday, December 9, 2014 12:44 AM
  • Quick Start tool will configure metaverse for you so you would have flows from AD to FIM with all required parameters and some additional (DisplayName and Description are a part of that as far as I remember).

    You would need to configure MPRs yourself:

    1. Anonymous users can reset their password
    2. Password reset users set can read password reset objects
    3. Password Reset Users can update the lockout attribute of themselves
    4. User management: Users can read attributes of their own
    5. General: Users can read non-administrative configuration resources
    6. Administration: Administrators can read and update Users

    All tasks that needs to be done (other than running quickstart tool) are described here:

    Configure Self-Service Password Reset


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Tuesday, December 9, 2014 7:21 AM
  • I understand this is not what you are asking for (quick start tool is the great way to acomplish what you need) but you might want to take a look at the Microsoft Azure. It can handle stuff like that.

    The data above this text is pseudorandom, brace yourselves.

    Tuesday, December 9, 2014 7:51 AM
  • This worked in a test environment. Thanks. I guess I will need to build off on this.
    Wednesday, December 10, 2014 8:36 PM