Password Sync across AD and offsite hosted applications RRS feed

  • Question

  • I was wondering if it is possible to setup FIM 2010 R2 with password management against a topology that consists of an on-site Active Directory and two off-site applications; the two off-site applications are in no way connected to each other and are hosted by two separate companies. Credentials for each of the off-site applications are stored within SQL, however, I'm not sure how exactly they are encrypting/decrypting passwords

    Best case scenario would leverage our AD as the main entry point for user passwords which would then flow out to the other applications.

    Thursday, August 16, 2012 12:28 PM

All replies

  • Hello,

    So you are looking to capture your on-site AD passwords and send that over off-site to another company?  Hmm, perhaps ADFS would be a better solution here.

    If FIM PCNS is really want you want, the PCNS DLL would need to be installed on all your source DCs and all those DCs would need to have their schema extended for PCNS.  This will allow the DCs to capture the password change and send that captured password, securely, over to FIM.  FIM then leverages the management agent of the target to send the password over to the target.  (Do you have a management agent for the target application?)  In-the-box, password management is supported in these MAs:

    • Active Directory
    • Active Directory Lightweight Directory Services
    • IBM Directory Server
    • Lotus Notes
    • Novell eDirectory
    • Sun and Netscape directory servers

    For file-based, DB and extensible connectivity management agents that do not support password change and set operations by default, you can create a .NET password extension DLL that would be called whenever a password change or set call is invoked.  That would be for management agents:

    • Attribute-value pair text files
    • Delimited text files
    • Directory Services Markup Language (DSML)
    • Extensible Connectivity
    • Fixed-width text files
    • IBM DB2 Universal DB
    • LDIF
    • SQL
    • Oracle


    Jeff Ingalls

    Saturday, September 1, 2012 9:25 AM
  • Thanks Jeff! We actually decided to reduce the role FIM plays and just have the third party vendors authenticate from their web-based apps to our AD via a secure VPN connection.
    Monday, September 24, 2012 5:22 PM