MIM SSPR Reset from pre-registered user in sync connected untrusted domain! say what!!

Hello Folks

Just as a reminder from a blog post I posted last year

Scenario: In Contoso they have a MIM SSPR deployed currently Contoso Users and register and reset using MIM. They have recently partnered with FabriKam and wanted to offer SSPR for there users without the need for a trust. FabriKam want to pre-register users so SSPR(Registration) would not be required as they use another service to house Q/A related items.

Problem: Issue is in FIM/MIM you would need a trust in place to allow for the management agent to work correctly as it attempted impersonation call on behalf the user. Most cases you would see the error below if you attempted even with pre-registering the users

Computer: CORPMIM.CONTOSO.COM
Description:
The server encountered an error while attempting to perform a set/change password operation.
“BAIL: MMS(6056): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(6056): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMADoNormalization’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMARecursiveUserDelete’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value ‘ADMARecursiveComputerDelete’, 0x2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(6056): D:\bt\50368\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
BAIL: MMS(6056): ..\cimpersonate.cpp(137): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.): Impersonation failed with err 800706fb
WARNING: MMS(6056): ..\cimpersonate.cpp(84): Controller:Could not release logon token
BAIL: MMS(6056): admaexport.cpp(2896): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.)
BAIL: MMS(6056): admaexport.cpp(3269): 0x800706fb (The security database on the server does not have a computer account for this workstation trust relationship.)
ERR_: MMS(6056): ..\ma.cpp(8531): ExportPasswordSet failed with 0x800706fb
Forefront Identity Manager 4.4.1459.0”

Solution: We have unlocked & finalized the full end to end scenario for registration on behalf of an untrusted domain connected via the Synchronization Service. This requires that you be on MIM 4.4.1642.0 or greater.

First, we need to create a management agent and account with least privilege approach we will only delegate to the Users OU

Next, we will create an Active Directory Management Agent and use the above credentials and select the following attribute: displayName, objectsid, SamAccoutName

On the Password Management section, we will select Boolean ‘Enable password management’

the next step as you guessed it is we need to create a sync rule to import the users. In the MIM Portal select Synchronization rule and New. Select your appropriate inbound join rule and name and then select Boolean ‘Create resource in FIM’

Attribute flow looks likes the below:

Once all complete we can run a Full Import and Sync on the FIMMA / FabriKam MA Then Export on the FIM MA to see the User from the untrusted Domain

Finally, we need to allow the Admin or service account to register on behalf the user aka ‘Jeff’. To do this we will create an MPR in the MIM Portal.

Type: Request
Operation: Create resource, Delete resource
Permissions: Grants Permission (True/checked)
Target Resource Definition Before Request: All Gate Registrations
Target Resource Definition After Request: All Gate Registrations
Resource Attributes: All Attributes (not Ideal , but you can get more granular)

Logon to one of your servers running the FIM Service and open a PowerShell shell and import the FIMAutomation snap-in:

Here are the steps for getting the questions to answer and then applying to user

Add-PSSnapin firm automation
#Get Questions
(Get-AuthenticationWorkflowRegistrationTemplate –AuthenticationWorkflowName ‘Password Reset AuthN Workflow’).GateRegistrationTemplates.Data.Name

#Clone Questions
$AuthNWFTemplate = (Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName ‘Password Reset AuthN Workflow’).Clone()

#Employee Number?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[0].Value = “1234567”

#Badge Serial Number?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[1].Value = “z1z1z1z1”

#Favorite Sport?
$AuthNWFTemplate.GateRegistrationTemplates[0].Data[2].Value = “Soccer”

#Registertheauthenication
Register-AuthenticationWorkflow -UserName fabrikam\jeff -AuthenticationWorkflowRegistrationTemplate $AuthNWFTemplate

Confirm-AuthenticationWorkflowRegistration -UserName fabrikam\jeff –AuthenticationWorkflowName $AuthNWFTemplate.DisplayName

Lastly, we need to update the phone number as Contoso has MFA enabled for SSPR, we go to Jeff and update the ‘Phone Gate Phone Number’ under advance view