none
SSPR integration with no PCNS and password extensions RRS feed

  • Question

  • Hi all,

    I can't believe I'm having to ask this as I feel like it's something I should know, but here goes nothing...

    Does FIM/MIM SSPR only reset the AD password and not recursively every supported, connected system?  We've developed a password extension for a web service implemented using ECMA and successfully tested that the password reset works when triggered through a WMI SetPassword call, but the password is not being reset when a user completes self service password reset.

    Does it normally reset the password in AD, which gets communicated back using PCNS and changed in the other systems?  I guess that's not normally too much of an issue, as FIM/MIM is heavily AD-integrated, but it's interesting that I've only just come across this as an issue with our customer who is risk averse and still considering PCNS through change control in a hybrid test/development (I know, I know..), so at the moment their testing is failing.

    Any clarification would be helpful just to support my findings.

    Thanks,

    Paul.

    Thursday, September 1, 2016 10:59 AM

Answers

  • Paul-

    My recollection is that the password reset workflow finds your CS object in each AD connector space and sets the password directly on them. So, you'd need PCNS to relay that password change back to FIM Sync and then downstream to your ECMA.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Paul Green Thursday, September 1, 2016 7:06 PM
    Thursday, September 1, 2016 2:30 PM
    Moderator

All replies

  • Paul-

    My recollection is that the password reset workflow finds your CS object in each AD connector space and sets the password directly on them. So, you'd need PCNS to relay that password change back to FIM Sync and then downstream to your ECMA.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Paul Green Thursday, September 1, 2016 7:06 PM
    Thursday, September 1, 2016 2:30 PM
    Moderator
  • Thanks Brian, That's consistent with what I've found too - thanks for confirming its by design rather than something not working! Cheers Paul
    Thursday, September 1, 2016 7:06 PM
  • I'll just expand upon this based on some recent findings too..

    It does not even go through multiple AD connector space objects - it only resets the password on the one corresponding to the accountName and domain according to the object in the FIM/MIM service.

    Thanks,

    Paul.

    Wednesday, September 7, 2016 12:32 PM