Publishing Forefront Identity Manager (FIM) Self Service Password Reset (SSPR) registration portal through Web Application Proxy (WAP


As we know FIM SSPR service has two portals.

  1. Password registration portal
  2. Password reset portal.

In this blog post you we will see how to publish the SSPR registration portal through WAP.

You can visit the below blog posts to know the details on publishing FIM Portal and SSPR Reset portal.

How to publish FIM Portal through Web Application Proxy.

How to publish FIM SSPR Reset portal through Web Application Proxy.

 

Publishing FIM Password Registration Portal through Web Application Proxy

The Password Registration portal can be configured with Pre-authentication on WAP. For this, we have to use the Kerberos Constrained Delegation (KCD) method to delegate the credential from the WAP server to the FIM Password Registration Portal server.

Let’s collect the required information about the FIM SSPR Registration portal for publishing.

1. Find the Service Principal Name (SPN) registered for Password Registration portal.

Normally the SPNs for SSPR portals will be registered on the computer account where the SSPR portals are installed. Please refer this article for more details.

Open an elevated command prompt and run the below command to list the SPN registered on the computer account.

   Setspn –L   <PasswordRegistrationPortalComputerName>

 
 

You can see that in my lab I have registered the SPN as HTTP/passwordregistration.contoso.com

2. Find out your internal url for accessing the Password Registration Portal

          I am using http://passwordregistration.contoso.com

          

 

 3. Go to your WAP server and try to access the Password  registration portal using this same URL. If you are able to access then you can proceed with publishing. If you cannot access the Portal from the WAP server, then you need to troubleshoot that first. You can check whether the name resolution works correctly or not or is there any Firewall in between the WAP and SSPR portal server which is blocking the traffic etc.

 

Now we have all the required details about the Password Registration Portal for publishing.

Creating the Relying Party Trust in ADFS for FIM Password Registration Portal.

1. Go to your ADFS 2012 server and open the ADFS Management console.

Expand the ‘Trust Relationships’ and select the ‘Relying Party Trusts’ Click on the ‘Add Non-Claims-Aware Relaying Party Trust’

 

2. Click Start on the Window and give a Display name to identify this Relying Party

 

3. Click next and type the URL you use to access the FIM Password Registration Portal on your Intranet and click Add.

 

4. Click Next and select the first option on the next window.

 

5. Click next and Close the Wizard and an Issuance Authorization Rules will  automatically open.  If not, open up Edit Issuance Authorization Rules for the Relying Party that you have just added.

 

Click on Add Rules

 

 

6. Select ‘Permit All Users’ from the Claim rule template. Click Next, Finish and Apply the Wizard.

 

Now we have completed creating the Relaying Party Trust for FIM Password registration Portal on ADFS.

 

Now, let’s go to the next step of how to Configure Delegation to the WAP computer Account in Active Directory:

 

Configure Delegation to the WAP computer Account in Active Directory

 

 1. Find your WAP computer object in AD and take the properties of it.

    Go to the ‘Delegation’ tab and select the highlighted options and then click on Add button

 

2. Click on ‘Users and Computers’ button and enter the name of the computer account under FIM Password Registration Portal is running. (explained in the 1st  step in the beginning of this article)

 
 

 3. Select the correct SPN (in my case HTTP/passwordregistration.contoso.com)  and then click OK. Click Apply and OK on the Delegation tab.

  

 

Let’s go through the Final Step of Publishing Password Registration Portal on WAP:

  

Publishing FIM Password Registration Portal on WAP

 

Now we are ready to publish the Password Registration Portal on WAP

1. Go to the WAP server and open the Remote Access Management Console.

    Click on the Publish option on the right hand side of the console.

2. Select ADFS for the Preauthentcation method.

 

 3. Click Next and it displays you the Relying Parties configured on the ADFS server. Select ‘SSPR Registration’ from the list and click Next.

 

 

4. On the next window you need to enter five options.

  • Name: any name to identify this application  (eg: SSPR Registration )
  • External URL: The url you will use to access the Password Registration Portal from external world or  internet (https://passwordregistration.contoso.com)
  • External Certificate: Since the site is published over SSL we need to select a certificate for this site. Before beginning this wizard, make sure to obtain and install a certificate which has the external name of your Password registration portal.
  • Backend server URL:  this is the URL which you use to access the password registration portal from your Intranet  (eg: http://passwordregistration.contoso.com )
  • Backend server SPN: Enter the SPN we registered for Registration portal computer account. (eg: http/passwordregistration.contoso.com)

 

5.  Click Next, Publish and then Close.

 

So, now we have published the FIM Password Registration portal through WAP !

 

ADDITIONAL INFORMATION

You may have to do some additional configuration on your external Firewall to direct the traffic coming for FIM Password registration portal from the internet to the WAP server IP. Your ADFS url should also be accessible from the internet client and this URL should be resolved to the correct IP address (Normally it will be resolved to your WAP server IP).

Once that is done you will be able to access your FIM Password registration portal from an external client machine.

 

 

 

Author:  

ANIL GEORGE 
Microsoft Security Support Engineer

 

Reviewer:

SURAJ SINGH 
Microsoft Security Support Escalation Engineer

 


Comments (1)

  1. ron says:

    Hi Anil,

    Thanks for this guide. I managed to publish my apps, but then didnt realise the WAP should be a member of the Domain for this to work! Is there a work around on this? Can we use pass through authentication instead?

Skip to main content