I am currently looking at the FIM 2010 product and have some questions on the product. There was a statement made that the FIM portal access requires an Active Directory account to access the self service features of FIM. In the scenario I am working in only 10% of the users have an Active Directory account and the other 90% of users have an AD LDS LDAP account that they use with simple LDAP bind authentication to access various LDAP based applications. These 90% of users do not have AD accounts (licensing cost contraint for AD integrated products). I was seeing if there was a way to support Forms based authentication in FIM 2010 against AD LDS LDAP services for portal access. I was also interested in how this would effect the abilit to use the PCNS and GINA based SSPR feature for users to reset their password when they don't have an AD account and some other users do have one. It seems that the current design would result in a chasing loop where the PCNS would trigger the change in AD LDS via the sync, but that would only work if the AD user changed their PW in AD. If they change it in AD LDS and the Sync pushes to AD, it would bounce back and fourth between the domain and LDAP with the design of the PCNS services. Any help is appreciated on this.

AFAIK, accessing the Portal and using the Self-Service Password Reset both require AD accounts. We did spend a lot of time trying to come up with alternatives but we couldn't see how. Accessing the Portal requires having a SID from AD in your user resource.David Lundell www.ilmBestPractices.com

You are using integrated authentication is IIS to resolve your AD account and get the AD Account SID. I don't think there is a supported option for what you are trying to do other than to make AD accounts and change their object type in ADLDS to UserProxy.Eric