Double-promping of username/password when using password registration portal in FIM 2010 R2 RC
The password registration portal works wonderfully BTW! The only problem I have is when going to the password registration portal, I get prompted to enter my username and password. When I enter my credentials, it takes me to the page to click "Next", then it takes me to the page where it ask to enter my password. I don't get the first credentials prompt when I'm locally logged into the FIM server, only when remotely connecting to the password registration page.
February 16th, 2012 1:09pm
I haven't tried out R2 or the SSPR feature in RTM, but based on your description it seems like an IIS server authentication problem. Is the hostname or FQDN that you are putting into the address bar to get there in the Local Intranet zone of IE on your client machines? If so, also check the security settings for that zone and verify in the User Authentication section the option "Automatic logon only in Intranet zone" is selected. I would not expect automatic authentication to work with browsers other than IE. Chris
February 16th, 2012 2:56pm
We added the url of the RIM R2 Password registration portal to local intranet zone and that removed the extra prompt for us.John Johnson
February 18th, 2012 5:31pm
Thanks John. You are right that the prompt does not come up when the site is set to the local intranet zone. Unfortunately, the people who are going to use this software will be students that will use any type of browser and non-domain machines, basically external customers.
February 24th, 2012 4:29pm
That is less of a problem than you might think. That setting in IE is only for how to deal with the site from a "canned" security point of view. In other words....if every externally connected machine that wants to use the portal has your site registered as a "local intranet zone" machine, it just changes the security framework within IE so it will work with authentication correctly. The fact that they are coming in from outside the domain is inconsequential.
February 24th, 2012 5:01pm
How can we configure this without having to have every person who plans on using our system to add our system name to their local intranet? We have 4000 students and there is no way we can tell everyone how to do that. Isn't there a way we can change the windows auth to basic and use https or something? I notice that the password reset page comes up fine with anonymous enabled. Joe M
May 1st, 2012 3:35pm
The password reset page must come up with anonymous enabled because in the context of a password reset the user cannot authenticate himself or herself with username and password. The local intranet zone fix applies if they are already logged in with those credentials to the workstation. So ideally you "own" those machines and can configure Internet Explorer via group policy or some other automated desktop management tool. I haven't had hands-on experience with that in a few years. I know the group policy settings that originally targeted IE6 stopped working with later versions, but I would hope updated group policy template versions have the necessary settings. If you were to change the IIS authentication method to basic, they would ALWAYS be prompted to enter their credentials at the step where Windows-integrated authentication would do it for you with the local intranet zone setting. It would would not eliminate the second prompt to confirm the password in-page. I do not know if it is possible to configure FIM's SSPR not to prompt the user to confirm the password before continuing on to set up their registration, but it would probably not be recommended in the context where integrated authentication is possible. The reason would be that a user that left a workstation logged in and unattended could have their security questions set up on their behalf and their password subsequently changed (reset) without their knowledge and without the evil-doer knowing their password. In the context of changing passwords, the current password must always be provided as part of the process, and this works the same way because the consequence is the same. Chris
May 1st, 2012 4:04pm
You can simply remove the Password Gate in the authentication workflow you will only see the IE prompt. Before you do so, please read my blog and understand why it was introduced: http://blogs.technet.com/b/aho/archive/2009/10/04/forefront-identity-manager-credential-management-part-2.aspx
May 2nd, 2012 1:24am
Thanks for the reply. It is the IE prompt that I want to remove. I am ok with the Password gate and actually kind of like it. We have many students that never visit campus (online) and they do not know what our domain name is. We try to put help pages out there but they never read them and then end up calling so SSPR does not reduce any calls. If we can't remove the IE prompt because they will not enter in domain name\username, do you know of a way to hard code or default the domain name? I know we have done this with other application (TMG 2010) but I can't seem to find anything on our FIM server. Under the password reset IIS site, Windows Authentication is the only one enabled and there is no way to set a default domain like with Basic. Thanks JoeJoe M
May 2nd, 2012 10:40am
Chris, Thanks for the response. One our domain, we do add this site to the local intranet zone and we have no issue. It is just for the people that we don't have control over their computers. It just seems redundant because they get the IE prompt askinig for domain name\username and password (this is the one we want to do away with) and then it takes them to the registration page where they click next and have to enter in their username and then their password. So you can see where frustrations are going to occur when students, who do not know our domain name because they never visit a domain joined computer or read our help pages, are going to just keep enterinig in their username and never get to the registration page. We have TMG 2010 and a Sharepoint portal. I am not sure if I can link it thru either of those that already authenicate the student (neither of these prompt or require domain name) and then have them register. Any thoughts anyone? ThanksJoe M
May 2nd, 2012 10:45am
When we deployed our third-part SSPR product, I was asked to set the IIS authentication to Basic and protect it with SSL for the very problem that you describe...the students don't know to put DOMAIN\ in front of the username. There is no way to specify a default domain for an integrated Windows authentication that falls back to the NTLM prompt when the browser doesn't pass the credential automatically. I did it just for the public-facing web servers at first, but then was asked to change it for the internal web server as well to provide a "consistent experience" since some students were trying to set up their security questions in another user's context. Thankfully the new version has the ability to do everything in-page with an anonymous context connecting to IIS and we don't have to provide dire warnings about closing the browser after finishing when working from a kiosk machine. I've played a bit with UAG 2010, which rests on top of TMG, and the in-page authentication it does doesn't require one to enter the domain. I don't know that you could accomplish the same thing with just TMG, and UAG might be more than you want to spend just for this, but it could be worth trying to link them from an already-authenticated Sharepoint page to your SSPR site (which is just another Sharepoint site at its core). Chris
May 2nd, 2012 12:11pm
What I ended up doing was disabling Windows Authentication and enabling basic. Then I setup https instead of http (so I feel a little better about it) and that is all workinig. Then on my TMG server, I just modified the portal page with links out to the password reset registration and the password reset. My only question now is after someone resets their password or goes thru the registration, after the very last step I would like it to redirect back to my TMG portal page. I am guessing I can do that in my Gate but not sure how at the moment. I guess worst case scenario is that I have my links open up in new windows so that the portal page is still up. Just thought it would be cleaner by redirecting them back when all done.Joe M
May 2nd, 2012 4:36pm
I have seen someone setting up TMG in front of the SSPR portals. IIRC, user would only see TMG's form-based authentication and will see no IE dialog (because TMG should do the magic) You can set where the users will be redirected after clicking the FINISH or CANCEL button. Look at web.config <customizationSettings> <add key="PrivacyPolicyLink" value="http://go.microsoft.com/fwlink/?LinkId=233314"/> <add key="HomepageLink" value=""/> <add key="CancelUrl" value="" /> <add key="FinishUrl" value="" /> <add key="PasswordResetLink" value="" /> <add key="DisplayUsernameInUPNFormat" value="false" /> <add key="ValidResetUsernameRegex" value="^[^@\\]+((@|\\)[^@\\]+)?$" /> <add key="DefaultDomainName" value="" /> </customizationSettings> Re: student not knowing their domain have you consider adding the student's email in their UPN? Most apps handle UPN as username quite well.
May 3rd, 2012 3:25am
I will test a little with the web.config file. Thanks. As for the UPN, our domain is bc3.edu and all staff and faculty and students have a email@example.com. Faculty and staff also have a email address of that. Our students email is hosted at Microsoft and is in the format of my.bc3.edu which is not our internal domain. I guess I can try to setup an alternative UPN internally and see if a user can log in to Windows with that. I will let you know how it goes.Joe M
May 3rd, 2012 9:59am