none
SSPR Configuration with more than one AD RRS feed

  • Question

  • Hello,

    In our environment we are having user provisioning to multiple AD. We are using Password Reset functionality (SSPR) in "ABC" AD. The Service Accounts used by FIM are in "ABC" AD and majorly the AD being used is "ABC".

    Is there any way to setup the SSPR in "DEF" AD as well without affecting the existing functionality.


    Regards,
    Manuj Khurana

    Monday, August 4, 2014 12:10 PM

Answers

  • Manuj, I found an article on the technet, and I see that you will need to do a trust (Not like i think in my previous answer )  =>  Password reset limitation

    but you still need to flow ObjectSID, Domain, AccountName :) like you do with domain "ABC"

    You can view DomainConfiguration object on "Administration > All resources > Domain Configuration"


    Sylvain

    • Marked as answer by Manuj Khurana Tuesday, August 5, 2014 1:41 PM
    Tuesday, August 5, 2014 9:22 AM
  • Hi again

    you need an Import Attribute flows from both ADs for the user who needs SSPR. You need at least Domain, AccountName and ObjectSID for each user.

    In case your AD user Object in "DEF" belongs to the same Person as your AD user Object from ABC (because you said: you are only flowing these attributes from AD "ABC") then one single Password reset Action can Change Passwords in both ADs. In case the user objects belongs to different People you need to Import those attributes for the "DEF" Accounts as well. And as I said in my first Port, you need a Trust.

    Henry

    • Marked as answer by Manuj Khurana Tuesday, August 5, 2014 1:56 PM
    Tuesday, August 5, 2014 9:29 AM

All replies

  • Hi Manuj

    You can easily integrate additional ADs in SSPR. User must be able to logon to the FIM Portal to Register for SSPR. For this a Trust is required between the other user AD Domain and the Domain where FIM Server resides. And the AD MA Account needs permission to reset Passwords of users and enable user accounts. 

    You don't need any additional setup steps in your User AD.

    Henry

    Monday, August 4, 2014 12:47 PM
  • Thanks for the information henry.

    Can you provide some more detail? Like :

    1. Do we have to enable the password management in other MA for "DEF" AD as well?

    2. We are not flowing objectsid from "DEF" AD to FIM portal. I believe which is must for SSPR functionality to work.

    3. Is there any kb article? describing the pre-requisites or steps to follow.

    Query : Is it possible without trust? Our main requirement is we can't create trust between the two AD, or is there any document stating, we can't achieve SSPR functionality without a trust.

    We don't have a test environment for this, and before giving proper justification with proofs we won't get the management approval to start.


    Regards,
    Manuj Khurana



    Monday, August 4, 2014 1:08 PM
  • Hello Manuj,

    1/ Yes, of course!

    2/ No, users will need to be authenticated on FIMService, to use SSPR functionality. So you need to flow AccountName, Domain and ObjectSid

    3/ Pre-requisites and steps are quite similar as for one domain. You will probably also need to create the DomainConfiguration object for you domain "DEF".

    Query: Trust is not need, the account that will do the reset is the account of MA AD "DEF", so normally a domain account in "DEF"

    Regards,


    Sylvain

    Tuesday, August 5, 2014 7:17 AM
  • Thanks Sylvin,

    For ObjectSID, Domain, AccountName - we are flowing these for "ABC" AD and not for "DEF" AD. So I believe there is some more light required from your side on how to get this i.e. users from "DEF" Domain can how be authenticated to FIM Service present in "ABC" AD?

    Also, the MA account used for provisioning to "DEF" AD is a domain account but how will that account contact the FIM Service present in "ABC" AD. And, what about this DomainConfiguration object?


    Regards,
    Manuj Khurana

    Tuesday, August 5, 2014 8:16 AM
  • Manuj, I found an article on the technet, and I see that you will need to do a trust (Not like i think in my previous answer )  =>  Password reset limitation

    but you still need to flow ObjectSID, Domain, AccountName :) like you do with domain "ABC"

    You can view DomainConfiguration object on "Administration > All resources > Domain Configuration"


    Sylvain

    • Marked as answer by Manuj Khurana Tuesday, August 5, 2014 1:41 PM
    Tuesday, August 5, 2014 9:22 AM
  • Hi again

    you need an Import Attribute flows from both ADs for the user who needs SSPR. You need at least Domain, AccountName and ObjectSID for each user.

    In case your AD user Object in "DEF" belongs to the same Person as your AD user Object from ABC (because you said: you are only flowing these attributes from AD "ABC") then one single Password reset Action can Change Passwords in both ADs. In case the user objects belongs to different People you need to Import those attributes for the "DEF" Accounts as well. And as I said in my first Port, you need a Trust.

    Henry

    • Marked as answer by Manuj Khurana Tuesday, August 5, 2014 1:56 PM
    Tuesday, August 5, 2014 9:29 AM