none
Password reset from Internet RRS feed

  • Question

  • Hi all.

    Sorry if anyone is seeing a duplicate of this post. Posted it yesterday and today that post is mysteriously vanished, can't seem to find it anywhere in the forum.

    I'm trying to get SSPR working for computers not being on our internal network. Internally everything works just fine, but when clicking the "Forgot your password?" I get error and the following pops up in the event log:

    System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with http://pwreset.<replaced>:5725/ResourceManagementService/Alternate for target http://pwreset.<replaced>:5725/ResourceManagementService/Alternate failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.

    The hostname (which I've hidden in the error message above) is resolvable and ports 5725+5726 (tcp) are opened from Internet to the server. Is there anything more I should open up for this to work?

    Friday, May 19, 2017 7:49 AM

Answers

  • Hello,

    I think it's not a good idea to publish the FIM Webservice to the internet.

    You should have a automatic VPN solution which connects clients to the corporate network like Direct Access.
    Since I never tried to user the FIM PW Client Extension from outside but I assume you will Need to open ports you don't like to open. I'm quire sure that is it maybe technically not possible.

    PW Reset from the Internet is normally done by the Web-based PW reset and you publish that website to the Internet, but of Course that do not help if users can not Login to a client disconnected from the network.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, May 19, 2017 9:44 AM
  • You need to be able to get a Kerberos ticket to the service, which you won't be able to do over the Internet since you have no line of site to a domain controller. DirectAccess would make this work as long as the machines have access via DA to the DCs and FIM endpoints. Azure AD SSPR might be a better solution for you for your remote workers.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Friday, May 19, 2017 8:52 PM
    Moderator

All replies

  • Hello,

    I think it's not a good idea to publish the FIM Webservice to the internet.

    You should have a automatic VPN solution which connects clients to the corporate network like Direct Access.
    Since I never tried to user the FIM PW Client Extension from outside but I assume you will Need to open ports you don't like to open. I'm quire sure that is it maybe technically not possible.

    PW Reset from the Internet is normally done by the Web-based PW reset and you publish that website to the Internet, but of Course that do not help if users can not Login to a client disconnected from the network.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, May 19, 2017 9:44 AM
  • Hello,

    I think it's not a good idea to publish the FIM Webservice to the internet.

    You should have a automatic VPN solution which connects clients to the corporate network like Direct Access.


    Well, good points there. The plan was that this would actually help Direct Access users that have forgotten their passwords. But maybe it's a completely unsafe solution and it would be better to tell them to call servicedesk?
    Friday, May 19, 2017 11:35 AM
  • You need to be able to get a Kerberos ticket to the service, which you won't be able to do over the Internet since you have no line of site to a domain controller. DirectAccess would make this work as long as the machines have access via DA to the DCs and FIM endpoints. Azure AD SSPR might be a better solution for you for your remote workers.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Friday, May 19, 2017 8:52 PM
    Moderator
  • Hi,

    As Peter says, you shouldn't publish the FIM Web Service to the Internet.

    However, you could publish the Web Based Password Reset portal. We've done this for several customers, also customizing and adding a reCaptcha to prevent abuse.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Saturday, May 20, 2017 3:58 AM
  • Thanks for good answers here! We'll immediately close ports 5725 and 5726 for access from the outside and make an addition to our end user sspr guide how they reach password reset web portal when they forget their password and aren't at work.
    Monday, May 22, 2017 8:28 AM