none
Two SSPR Sites for internal users and partners RRS feed

  • Question

  • 

    Hello,

    We have two sets of users (Internal and Partners) who live in separate OU's in one AD. Is there a ways to have a SSPR site for each set of users? For example, lets say SSPR1 will be used by OU1 (internal) users. I want to prevent OU2 (partner) users to use SSPR1 site to reset their passwords. Bottom line, I want to prevent partner users to try to reset internal users' passwords.

     

    Thanks,


    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Thursday, September 28, 2017 3:35 PM

All replies

  • You need not to worry about that. Every user can only resent their own password.


    Nosh Mernacaj, Identity Management Specialist



    Thursday, September 28, 2017 5:19 PM
  • Hi Nosh,

    I don't think that's accurate. If a user who works for partner wants to be malicious and knows the username of an internal user, he/she can lock the internal user account and if somehow he/she can answer the security questions the password will be reset.

    To stay at the safe side, I would like to have a separate SSPR site for external users.

    Thanks,

    

    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Thursday, September 28, 2017 6:33 PM
  • That is partially correct. This can lock the user from SSPR Tool itself, but not from AD.

    You can do what you originally asked, but that will mean double licensing costs.

    You can also segregate the users by using one SSPR, but create 2 AuthN workflows, MPRs, and Sets.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, September 28, 2017 6:40 PM
  • I like the second AuthN workflow approach. Thinking out load, what do you think of creating a second  partition as per  https://social.technet.microsoft.com/wiki/contents/articles/2363.understanding-fim-service-partition and point the second SSPR to the second partition and only have the second AuthN workflow on the second partition. Would that work?

    Thanks


    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Saturday, September 30, 2017 4:30 AM
  • Cant open the link you posted, but it does not matter. I totally understand you.  Of course it will work.

    Only issues is you will pay double CALS.


    Nosh Mernacaj, Identity Management Specialist

    Saturday, September 30, 2017 8:50 PM
  • But now if extenal users know the url for the internal SSPR, they can cause the same harm.

    Nosh Mernacaj, Identity Management Specialista


    Saturday, September 30, 2017 10:08 PM
  • Nothing you do can completely solve your issue. You are trying to change human behavior, and that is not a technology issue.

    External users may always find out something. I hope your company does not contract Hackers. :)

    There is another simplier way to use one Instance of SSPR and simply change the way you create the MIM Accounts, for example you can make the External Accounts prefixed EXT-NMERNACAJ, and Internal ones, based on their EmplyeeID or something unknown to external people.

    The only harm the external users can ever cause, is to lock an account in SSPR MIM, but they cannot lock an AD Account. 

    Remember, you need to fully authenticate to MIM before contacting AD


    Nosh Mernacaj, Identity Management Specialist

    Sunday, October 1, 2017 12:09 PM
  • Proper zoning of the servers can take care of this.

    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Sunday, October 1, 2017 5:37 PM
  • I am trying to do my due diligence and design to the solution to be as bulletproof as possible.  

    Re username pattern

    I don't want it to be hard for users to use.

    Re you need to fully authenticate to MIM before contacting AD

    Not sure what you mean by the above statement. This is done through ADMA isn't it?


    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Sunday, October 1, 2017 6:06 PM
  • Ahmed,

    "Re you need to fully authenticate to MIM before contacting AD" - This can lock your account too. Never mind my earlier comment. That was not accurate.

    I hear you, but you cannot completely ensure someone is not going to lock someone else's account.  I can lock your account with a runas command on anything.

    I don't think your 2 SSPR portals will do anything for you.


    Nosh Mernacaj, Identity Management Specialist


    Monday, October 2, 2017 7:58 PM