Is it possible to use the FIM Portal with no AD available
We are looking into using FIM and the portal as a solution for user provisioning and management but there are a couple of questions that I have not been able to find answers to that someone may already know. Is it possible to use the FIM portal for user management in an environment with no Active Directory system. The only user stores would be custom SQL Server based user stores.Given the above would the FIM solution be able to support different password complexity rules per user based on a group or role they are in. Thank you for your time.
April 18th, 2012 2:14pm

I think you will need some form of AD for the users who are managing other users to access the portal and login. 1. If the users being managed don't need to login to the portal, then it's possible they could be managed via the portal and have the sync flow the attribute values to SQL. 2. I'm assuming FIM is being used to generate the password in this case and that the password is stored in SQL? If so, it's possible to do a synchronization rule to generate a password that meets the complexity requirements you need. You'd then just apply that sync rule to the set of users that you want to have that password complexity. Alternatively, you could use a custom workflow when a user is created or moved to the group to generate the password. Not sure if I am understanding your requirement correctly? Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 2:30pm

To add further to Sami's comments.. You would obviously need to have the people who are configuring the FIM system in the portal and to have AD accounts -although you don't need to sync them in. You can use the powershell script here in the technet FIM scriptbox to manually copy the user's objectSID onto an account with the correct AD info that you manually enter. That way you don't need to create an AD Management Agent. The users being managed don't have to ever be exported (or imported) from AD - which also means those user's can't log into the FIM portal, since there has to be an AD account to log in. The user's password can be generated with different rules based on set membership or some user attribute. It might involve some custom activity work, but not very difficult. If you're talking about managing the actual AD *policy* - that's something different - AD manages that part. Hope this helps..Frank C. Drewes III - Senior Consultant: Oxford Computer Group
April 18th, 2012 3:14pm

The FIM Portal REQUIRES AD! No AD ??> no FIM Portal Reason: The FIM Portal leverages AD authentication and the user objects in the FIM portal require an objectSid, sAMAccountName and domain name FIM does not store passwords for users, AD does. Because FIM does not store passwords, it also does not need to manage those passwords and therefore no password policies exist in FIM. AD is the authentication provider and is therefore the one with the password policies <o:p></o:p> Cheers,<o:p></o:p> (HOPEFULLY THIS INFORMATION HELPS YOU!) Jorge de Almeida Pinto | MVP Identity & Access - Directory Services ------------------------------------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always evaluate/test yourself before using/implementing this! * DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/ ------------------------------------------------------------------------------------------------------- ################# Jorge's Quest For Knowledge ############### ###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ ##### #### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ #### -------------------------------------------------------------------------------------------------------<o:p></o:p> "QuestionGuy789" wrote in message news:1d764e11-4ead-474f-900a-a4bbc1a48272@communitybridge.codeplex.com... We are looking into using FIM and the portal as a solution for user provisioning and management but there are a couple of questions that I have not been able to find answers to that someone may already know. Is it possible to use the FIM portal for user management in an environment with no Active Directory system. The only user stores would be custom SQL Server based user stores. Given the above would the FIM solution be able to support different password complexity rules per user based on a group or role they are in. Thank you for your time. Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2012 2:20am

Depending the requirements, if you do NOT wish to extend the AD schema, there might be an easier way to go: ADLDS formerly known as ADAM http://technet.microsoft.com/en-us/library/cc754361(v=ws.10).aspx ADLDS has some distinct advantages: - It does support LDAP - Light weight AD, offering interesting features on level of manageability - It's free (to download, or part of Windows 2008 as server role) - easy to install - easy to integrate with FIM - Schema can be extended far more easily. - You can run multiple ADLDS on one server, - ... Yes, it's another LDAP store, but it migth deliver far better economics than customizing the 3rd party applications to communicate with FIM directly. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/0053aa0f-ce65-43fd-91e9-9e5b80dc0da9
April 24th, 2012 4:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics