Hiding the Display of Domain Information in the FIM 2010 Password Reset Portal
One of the features of FIM 2010 R2 is that the password reset portal is now anonymously accessible; therefore, extranet – including even internet – users can register and reset their passwords from a non-domain joined machine. If I am not mistaken, this was one of the most requested enhancements to the product and its inclusion in in R2 is huge.
On one of my current projects, we are establishing a gateway environment which will host UAG published applications with which the general public and government employees can collaborate and exchange information. To facilitate the IdM components of this (e.g. the request for new accounts, etc.), we are leveraging FIM 2010 R2 and are publishing both the Password Reset portal to the internet.
Anyway, in using the SSPR portals in this manner, there is one security related issue to which the government understandably objects; the portal displays of the domain name of the authenticated user account. For non-Public Sector folks, exposing the name of the domain is a security no-no
See below (the actual domain name has been redacted):
At first, we tried to parse out the exposure domain name through use of UAG AppWrapper functionality; however, for some reason that only the product team can explain, if you tamper with the displayed domain name value on that form, it breaks the ability for users to register.
Luckily, we found an acceptable work around. You can suppress the (logged in as: DOMAIN\USER) line entirely in its CSS. Here where you do it:
1. Open up the Registration.css style sheet located in Program Files\Microsoft Forefront Identity Manager\2010\Password Registration Portal\css
2. Scroll down to the rule: .registrationGatewayContainerDiv span div span i
3. Change its display declaration value from block to none (i.e. display:block -> display:none)
4. Save the file.
5. Open the portal and you ought to see:
That is all what is necessary. Unfortunately though, this only hides the block from being rendered in the browser; the HTTP response is still returning the(logged in as: DOMAIN\USER) line in its HTML.
But unfortunately, this is all what can be done at this point.
Good luck…