Must FIM 2010 R2 Password Registration and Reset Server be domain joined? RRS feed

  • Question

  • Hi all,

    I have a topology where the FIM Portal and Server are on an Internal network, with the Password Registration and Reset portals published externally, via a separate server in an extranet.  I don't want to join the server in the extranet to the corporate domain, but is that really the only way to make it work?  Reading the docs, it looks like the FIM portal assigns a special permission to the account running the password registration and reset portals, with all the screenshots using domain credentials, but it doesn't seem very "best practice" to have a domain joined server in the Extranet.

    I guess TMG with reverse proxy with additional cost would be the alternative?  Is there really no other way?



    Monday, August 13, 2012 12:14 PM

All replies

  • FIM Service requires Kerberos... And so the SSPR portals needs to be able to talk Kerberos with the FIM Service.

    You could implement a different trusted forest in the Extranet if you like, but IMHO publishing the SSPR portals using TMG or UAG is a better option.

    Monday, August 13, 2012 12:27 PM
  • @Kent: I'm not sure if FIM service actually requires Kerberos. I'm not using Kerberos authentication, but completed deploying FIM 2010 R2 Portal.

    Thuan Soldier
    SharePoint Vietnam | Blog | Twitter

    Wednesday, September 12, 2012 4:03 PM
  • @Thuan: Please share how your setup looks like that authenticates against FIM Service without using Kerberos.
    Friday, September 14, 2012 10:47 AM
  • The actual account that reset passwords is the AD MA service account. The one used to run the MA in the Sync server. You can place the Password Reset portal server in the DMZ. But then you must start the IIS Application pools with a local user.


    Friday, September 14, 2012 11:21 AM
  • Yes, the AD MA account is the one actually doing the job. But the call goes like this

    SSPR Portal App Pool Account -> FIM Service -> FIM Sync Service using WMI -> AD MA -> AD

    IMHO FIM Service will reject the first step if not authenticated using Kerberos.

    Friday, September 14, 2012 3:08 PM
  • Yes, domain membership is necessary.  You might notice when installing the FIM Service + Portal that it asks for the identities of the service accounts that will run the Registration Portal and Reset Portal -- these IDs become "special" accounts to the FIM Service and would not otherwise have adequate permission to communicate with the service.
    Friday, September 14, 2012 4:09 PM