SSPR Server in DMZ need to be domain joined?


  • Hi

    I realize the SSPR web portal does not require SharePoint and only need IIS. Our security team does not want any self registration pages to be hosted on a domain joined server. We do have a reverse proxy server before the users can get to the registration pages. Q - Is it a possible scenario to have SSPR server in DMZ that is not joined to any domain? 

    vendredi 21 février 2014 22:07

Toutes les réponses

  • It's not the answer you want, but it's an easy answer: The SSPR server must be domain joined because both the SSPR Registration and Reset application pool identities use integrated Windows authentication to access their special privileges to the FIM Service.

    This might be a good opportunity to explore the new ADFS Remote Access proxy role in Server 2012 R2.

    Steve Kradel, Zetetic LLC

    lundi 24 février 2014 16:47
  • Shawn,

    You need to find out if your reverse proxy supports SPNEGO authentication. If it does, does it support Kerberos Constrained Delegation?

    Your reverse proxy will need to be able to request S4ULogon tickets to perform Kerberos Constrained Delegation. Depending on which reverse proxy we are talking about, this might mean that reverse proxy needs to be domain joined, to the least.

    Once you figure this out, you can then perform application hardening on the reverse proxy to alleviate your IT & Network Security concerns.

    Alternatively, consider deploying Web Application Proxy (WAP) along with ADFS 3.0 services packaged along with ADFS 3.0


    Jameel Syed | Identity & Security Strategist | | Simplified Identity and Access Management

    mardi 25 février 2014 08:34