I realize the SSPR web portal does not require SharePoint and only need IIS. Our security team does not want any self registration pages to be hosted on a domain joined server. We do have a reverse proxy server before the users can get to the registration
pages. Q - Is it a possible scenario to have SSPR server in DMZ that is not joined to any domain?
It's not the answer you want, but it's an easy answer: The SSPR server must be domain joined because both the SSPR Registration and Reset application pool identities use integrated Windows authentication to access their special privileges to the FIM Service.
This might be a good opportunity to explore the new ADFS Remote Access proxy role in Server 2012 R2.
You need to find out if your reverse proxy supports SPNEGO authentication. If it does, does it support Kerberos Constrained Delegation?
Your reverse proxy will need to be able to request S4ULogon tickets to perform Kerberos Constrained Delegation. Depending on which reverse proxy we are talking about, this might mean that reverse proxy needs to be domain joined, to the least.
Once you figure this out, you can then perform application hardening on the reverse proxy to alleviate your IT & Network Security concerns.
Alternatively, consider deploying Web Application Proxy (WAP) along with ADFS 3.0 services packaged along with ADFS 3.0
Microsoft réalise une enquête en ligne pour comprendre votre opinion sur le site Web de Technet. Si vous choisissez de participer, l’enquête en ligne vous sera présentée lorsque vous quitterez le site Web de Technet.