Authenticating users from an untrusted domain for password registration RRS feed


  • Password registration requires your user to authenticate in order to match user who logs on to the object in FIM based on its account name, domain and ObjectSID.

    If you don't have a trust between the user domain and FIM domain you will not be able to do this directly using user account, as there is no way of including your user's original SID in an access token. For this you would need a trust. So question 1 is what attributes have you populated for these accounts, if Account Name, domain and object sid of a domain where user exists I think it is pointless as it won't work anyway (ok - for other purposes it might work).

    I haven't tried it but actually you should be able to do this with FIM, ADFS and UAG (Jerremy Palenchar used to talk on this subject on TEC (RIP)), here is also a Technet blog entry about it:

    In this way you will allow your users to access FIM in this domain but you will need shadow account there to allow protocol transition. Thus FIM should have your shadow account details for user not your original source account. 

    Now publish your registration page in the same way and you should have working solution :).

    Tomek Onyszko, memberOf Predica FIM Team (, IdAM knowledge provider @

    Sunday, March 3, 2013 11:26 PM