Best way to expose Password Registration Portal to the outside RRS feed

  • Question

  • Hello,

    We are an educational instituiton currently attempting to provision the Password Reset and Registration portals so that they can be used by Online students who are obviously not domain members or on a campus.

    The reset portal is working just fine as it is Anonymous Auth and I would like to have some way to use a form to authenticate from the outside for remote students to get to the registration portal without having to have students enter "domain\username" and "password". And then at the point to have to enter the password again.

    What is the suggested or preferred way to accomplish this? TMG/UAG?

    Thanks for your time,

    Seth Mall
    Monday, August 12, 2013 7:00 PM

All replies

  • The FIM Password Reset functionality was designed with the following assumption: everyone has an 
    AD account.

    So you can either assign everyone an AD account or use a different Password Reset Tool

    David Lundell, Get your copy of FIM Best Practices Volume 1

    Monday, August 19, 2013 6:14 PM
  • David....I believe what he means when he says, "obviously not domain members or on a campus" that they aren't domain JOINED....because if he has an expectation for them to use the reset portal, and they are online students...then YES....they are domain members.  FIM 2010 R2 gives you what you want Seth...without any further customization to expose the website to them.  The whole point being, if they need to use the reset function...then they don't know their password...or have forgotten it.

    Edit:  You will have to use a proxy service to expose the PW reg and reset TMG.

    • Edited by gdtilghman Wednesday, August 21, 2013 6:03 PM
    • Proposed as answer by gdtilghman Wednesday, August 21, 2013 6:03 PM
    Monday, August 19, 2013 9:26 PM
  • Hey There,

    with the death of TMG/UAG what is a good recommendation for this ?



    Friday, February 14, 2014 4:37 PM
  • On Fri, 14 Feb 2014 16:37:08 +0000, MasterPrawn wrote:

    with the death of TMG/UAG what is a good recommendation for this ?

    Is one possible solution. There are also a number of third party
    applications and appliances that do this.

    Paul Adare - FIM CM MVP
    "If you want sympathy, look in the dictionary; it's between sex and
    syphilis." -- Joe Zeff

    Friday, February 14, 2014 5:00 PM
  • Agreed with Paul, the 2012 R2 Remote Access (ADFS Proxy) role should do the job pretty well in this case, although users will still be prompted to enter their passwords a second time after IWA authentication to the Registration portal.

    Insofar as the Registration and Reset roles must both be run on domain-joined servers with good connectivity to DCs and the FIM Service, it's a good idea to protect both with a reverse proxy.

    If there's a hard requirement to enter username and password exactly once during the registration process from a non-domain-joined/Internet machine, one option is to write a custom .NET web application to frontend things, working with the enrollment Powershell cmdlets on the backend.

    FYI, you can avoid entering "DOMAIN\username" or "user@upn.suffix" in the Reset portal by specifying a DefaultDomainName in its web.config. 

    Steve Kradel, Zetetic LLC

    Monday, February 17, 2014 9:11 PM