FIM 2010 R2 SP1 Addin and extensions password reset via IntERnet? RRS feed

  • Question

  •  Will the password reset addins and extensions for FIM 2010 R2 SP1 work via the internet when the FIM server is exposed to the Internet? Is there any way to get this working?

    Thursday, September 19, 2013 11:43 PM

All replies

  • I did never thought about such a scenario, but as far as i know this is not possible as for the functionality to work computer must be a domain member.

    Also it seems not very practical to me as the you have to deploy these client manually to all the client which come from the Internet.

    For that reason/limitation Microsoft has implemented the Web based PW reset in FIM R2.

    If they are domain member you can maybe use DirectAccess or another client connectivity that work prior login for connecting those client to your corporate network.


    Peter Stapf - Doeres AG - My blog:

    Friday, September 20, 2013 9:08 AM
  • Peter,

    First, thank you for the reply!

    Sorry I should have clarified in my original post.

    The computer is a member of the domain. However they would not be on the company LAN.



    • Edited by jmanley WI Friday, September 20, 2013 1:41 PM
    Friday, September 20, 2013 1:41 PM
  • The extensions require a Kerberos channel to work which isn't something that you would typically see exposed on the Internet. If you have DirectAccess, this can definitely be made to work, though.

    Thanks, Brian

    Friday, September 20, 2013 2:00 PM
  • Brian;

    Thank you again for replying to the thread of another FIM Newb! :)

    I don't have any experience with DirectAccess.

    Does DirectAccess work before the user is logged on to the Laptop in question while just being connected to the internet?

    Based on this article:

    the user just needs TCP/IP connectivity - network connectivity must exist between client, domain controller and target server

    Based on that I'm guessing the connectivity between the client and uber firewalled domain controller is what's killing it and giving me a SOAP Security negotiation failed for target error?

    Friday, September 20, 2013 2:13 PM
  • DA can be configured to work before the user is signed in.

    You're correct on your assumption around the connectivity.

    Thanks, Brian

    Friday, September 20, 2013 2:14 PM