ADLDS Password Proxy and FIM 2010

I would like to set up AD LDS as a proxy that passes every request for a bind through to the actual AD server. I know you can use proxy objects but in my case I would need to make over 10,000 proxy objects and counting. According to these two links it's possible by using FIM. However there are no steps and I am new to this.  Does anyone have any ideas or steps that I can use to accomplish this?  My goal is to have the application use ADLDS for authentication then proxy the password to the AD environment.

http://blogs.technet.com/b/idaguys/archive/2009/06/19/overiview-of-authentication-in-ad-lds.aspx

http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx

Thanks
litogAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
FIM is a phenominally complex piece of software and it isn't very well documented. I'd recommend digging through the Technet articles and how-tos on it, but be aware that there are several errors in them that make the scenarios difficult to properly complete. FIM would essentially act as a syncronization system between the ADLDS and AD servers, creating any objects that exist on one server with another server. It is probably also overkill for your purpose and it's very likely to be too expensive (Server license is about 18,000 dollars).

What you may want to look into is creating the proxy objects with Powershell rather than using FIM. That way you can script the creation of all the objects you need as well as a scripted pull from your AD infrastructure into a CSV file to use with the object creation script. Probably a lot easier and definitely cheaper.
litogAuthor Commented:
Thanks, but initially I see us using this for the proxy with more identity management later down the road. HR, User provisioning, etc...

As you mentioned documentation is not very clear in some areas, and since I have seen it mentioned that it's possible, I was looking for a link with a step by step process. I have gone through the technet articles and can only find "Password Synchronization" and not "Password Proxy", which I assume are two different things.

Thanks
RickSheikhCommented:
Yes, the password sync refers to the PCNS (Password Change Notification Service) in FIM. Service is meant to capture the password before its encrypted at the DC (it goes on all DCs) and syncs to FIM, from where the password may be synced to other associated systems via management agents / connector space.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

RickSheikhCommented:
And I fully agree that FIM is too complex for your current use case.
litogAuthor Commented:
Thanks.

If scripting is the best way to handle that many objects do you have an example script to use for ADLDS and AD to proxy the passwords back to AD?  

Thanks
litogAuthor Commented:
I am now just trying to use AD LDS only with Proxy Authentication, but it doesn't seem to work.  I have tried to use LDP to see if my authentication is proxied but it says The logon attempt failed.  If it is proxied do I use the source domain name as part of the authentication or do I use the AD LDS domain name as part of the authentication?

AD LDS = ldsdomain\user1

or

Source AD domain = addomain\user1

Thanks

litogAuthor Commented:
Never did get an answer that resolved this so am closing this ticket.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
litogAuthor Commented:
Never did find a solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.