SSPR Server in DMZ need to be domain joined?

Hi

I realize the SSPR web portal does not require SharePoint and only need IIS. Our security team does not want any self registration pages to be hosted on a domain joined server. We do have a reverse proxy server before the users can get to the registration pages. Q - Is it a possible scenario to have SSPR server in DMZ that is not joined to any domain? 

February 21st, 2014 5:10pm

It's not the answer you want, but it's an easy answer: The SSPR server must be domain joined because both the SSPR Registration and Reset application pool identities use integrated Windows authentication to access their special privileges to the FIM Service.

This might be a good opportunity to explore the new ADFS Remote Access proxy role in Server 2012 R2.

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 11:48am

Shawn,

You need to find out if your reverse proxy supports SPNEGO authentication. If it does, does it support Kerberos Constrained Delegation?

Your reverse proxy will need to be able to request S4ULogon tickets to perform Kerberos Constrained Delegation. Depending on which reverse proxy we are talking about, this might mean that reverse proxy needs to be domain joined, to the least.

Once you figure this out, you can then perform application hardening on the reverse proxy to alleviate your IT & Network Security concerns.

Alternatively, consider deploying Web Application Proxy (WAP) along with ADFS 3.0 services packaged along with ADFS 3.0

February 25th, 2014 3:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics