Sunday 25 January 2015

FIM 2010: SSPR with one-way trust


This article describes and documents an SSPR setup between two AD forests with a one-way trust. FIM is deployed in the internal domain Users from the domain are being imported and managed by FIM. There is a one-way incoming trust on the domain. All prerequisites from the password reset deployment guide are already satisfied.

DMZ connector configuration

SSPR requires that the DMZ connector service account has local logon rights on the FIM synchronization server. If the service account is from the DMZ domain, a two-way trust is required to allow this setting. Since this is not a valid option in this scenario, a service account from the IS4U domain needs to be delegated the proper rights on the DMZ domain. This includes at least the following:
  1. Replicating directory access
  2. Reset password