I would love to see more info on how I can write my own code to interact with the STS and web service if I want to enable password reset registration and password reset authn via methods other than the provided tools and interfaces. For example, I may want to initiate a password reset from my cell phone and speech server.
How about a discussion as to how someone outside the firewall on a non-domain joined machine without VPN can perform a SSPR? It is my understanding that currently the SSPR client uses DCOM/RPC to communicate with the FIM service and most organizations will not publish those protocols through the firewall. From your posts it appears that the communication between the SSPR client and FIM server is via named pipes. Is there a reason that this wasn't done with a HTTPS connection or some other protocol that is easy to publish through a firewall?
That's not exactly correct. I have updated my Part4 with the following.
Communication channels used:
* Between Gate Framework (GF) and PasswordProxy uses namepipe because GF is native and PasswordProxy is managed.
* Between PasswordProxy and FIMService/STS uses WCF.
* Between FIMService and FIMSynchronizationService uses WMI.
and FIMService will only accept request signed with a valid kerb token... meaning the machine needs to be domain join for SSPR to work. Extranet password reset is not supported in RTM. We are *seriously* looking into the issue
Seem to have an issue with mspwdresgistration with domain computers with smart cards. These computers have the following IE policy pushed “smart cards are required for interactive logon”. When mspwdregistration ask for the user credentials and next, the following error appears:
Unable to validate your password at this time, please contact your system administrator
When the policy is not applied to IE everything work OK
You are correct in the sense that for users that require Smartcard logon, they can't pass the Password Gate. But those users don't need SSPR anyways. So they really shouldn't be in the Password Reset Users set
Questions like this one might fit better in the forum:http://social.technet.microsoft.com/Forums/en/ilm2/threads
How about looking into SSPR using openldap and the steps and details pertaining to that?
we only support AD password reset at this time.
If the user has AD, u can use PCNS to sync the pwd back to openldap (but i bet that's not the case for u)
How can I set up a kiosk so that, as well as offering password reset, it also offers an option for registration? Can I add a link on to the NavBar of the passwordPortal?
The kiosk WILL NOT allow direct input of a URL into the address bar.
If a user doesn't have the desktop add-ins for password reset, then they ALSO haven't got them for registration.
In order to register for SSPR, one needs to be authenticated. The easiest way will be to write a script that would do the following
runas /u:username C:\Windows\System32\MsPwdRegistration.exe
Sorry, I don't understand how that can be triggered from the passwordPortal.
PasswordPortal is not customizable at this moment.
Is it possible to create a custom workflow that pulls custom questions/answers from another directory/store?
Yes, you should be able to extend the product by writing your own Authentication Gate (e.g. your custom QA Gate) and add it to the AuthN WF
Hi AnthonyHo I would like ton know more about custom workflows and portal customization, I would like to link objects in the FIM portal.
Thanks in advance
I would like to know, how to create a custom QA gate to meet the minimum length for the answers, specify condition of the answers (such as contain only number)