MIM SSPR Reset from pre-registered user in sync connected untrusted domain! say what!!

Hello Folks

Just as a reminder from a blog post I posted last year

 

Scenario: In Contoso they have a MIM SSPR deployed currently Contoso Users and register and reset using MIM. They have recently partnered with FabriKam and wanted to offer SSPR for there users without the need for a trust. FabriKam want to pre-register users so SSPR(Registration) would not be required as they use another service to house Q/A related items.

Problem: Issue is in FIM/MIM  you would need a trust in place to allow for the management agent to work correctly as it attempted impersonation call on behalf the user. Most cases you would see the error below if you attempted even with pre-registering the users

Computer:     CORPMIM.CONTOSO.COM
Description:
The server encountered an error while attempting to perform a set/change  password operation.
“BAIL: MMS(6056): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(6056): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMADoNormalization’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMARecursiveUserDelete’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMARecursiveComputerDelete’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
BAIL: MMS(6056): ..\cimpersonate.cpp(137): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.): Impersonation failed with err 800706fb
WARNING: MMS(6056): ..\cimpersonate.cpp(84): Controller:Could not release logon token
BAIL: MMS(6056): admaexport.cpp(2896): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.)
BAIL: MMS(6056): admaexport.cpp(3269): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.)
ERR_: MMS(6056): ..\ma.cpp(8531): ExportPasswordSet failed with 0x800706fb
Forefront Identity Manager 4.4.1459.0”

 

Solution: We have unlocked & finalized the full end to end scenario for registration on behalf of an untrusted domain connected via the Synchronization Service. This requires that you be on MIM 4.4.1642.0 or greater.

 

First, we need to create a management agent and account with least privilege approach we will only delegate to the Users OU

image

 

Next, we will create an Active Directory Management Agent and use the above credentials and select the following attribute: displayName, objectsid, SamAccoutName

On the Password Management section, we will select Boolean ‘Enable password management’

image

the next step as you guessed it is we need to create a sync rule to import the users. In the MIM Portal select Synchronization rule and New. Select your appropriate inbound join rule and name and then select Boolean ‘Create resource in FIM’

 

image

 

Attribute flow looks likes the below:

image

 

Once all complete we can run a Full Import and Sync on the FIMMA / FabriKam MA Then Export on the FIM MA to see the User from the untrusted Domain

 

image

 

Finally, we need to allow the Admin or service account to register on behalf the user aka ‘Jeff’. To do this we will create an MPR in the MIM Portal.

image

  • Type: Request
  • Operation: Create resource, Delete resource
  • Permissions: Grants Permission (True/checked)
  • Target Resource Definition Before Request: All Gate Registrations
  • Target Resource Definition After Request: All Gate Registrations
  • Resource Attributes: All Attributes (not Ideal , but you can get more granular)

Logon to one of your servers running the FIM Service and open a PowerShell shell and import the FIMAutomation snap-in:

Here are the steps for getting the questions to answer and then applying to user

Add-PSSnapin firm automation
#Get Questions
(Get-AuthenticationWorkflowRegistrationTemplate –AuthenticationWorkflowName ‘Password Reset AuthN Workflow’).GateRegistrationTemplates.Data.Name

image

#Clone Questions
$AuthNWFTemplate = (Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName ‘Password Reset AuthN Workflow’).Clone()

#Employee Number?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[0].Value = “1234567”

#Badge Serial Number?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[1].Value = “z1z1z1z1”

#Favorite Sport?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[2].Value = “Soccer”

image

#Registertheauthenication
Register-AuthenticationWorkflow -UserName fabrikam\jeff -AuthenticationWorkflowRegistrationTemplate $AuthNWFTemplate

image

Confirm-AuthenticationWorkflowRegistration -UserName fabrikam\jeff –AuthenticationWorkflowName $AuthNWFTemplate.DisplayName

image

 

Lastly, we need to update the phone number as Contoso has MFA enabled for SSPR, we go to Jeff and update the ‘Phone Gate Phone Number’ under advance view

image

Now for the true test lets have Jeff go to the MIM SSPR Reset Portal (https://passwordreset.contoso.com/default.aspx)

image

SNAGHTML17356ed

 

Out of scope Items: MIM SSPR with Client from the untrusted domain, Password Registration Portal

 

References :

Programmatic User Registration: https://technet.microsoft.com/en-us/library/jj134294(v=ws.10).aspx

FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies:https://support.microsoft.com/en-us/help/2443871/fim-2010-self-service-password-reset-now-supports-enforcement-of-all-d

Introduction to Management Policy Rules: https://technet.microsoft.com/en-us/library/ee534905(v=ws.10).aspx

Password Reset Deployment Guide: https://technet.microsoft.com/en-us/library/ee534892(v=ws.10).aspx

David Steadman has written 39 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>