The Alternate endpoint allows anonymous (unauthenticated) users to send Put requests to Forefront Identity Manager (FIM) to modify individual objects. It is similar to the Resource endpoint except that it allows access by anonymous users. This functionality allows the Alternate endpoint to be used to reset the password for a user that has forgotten their password.

Password Reset Scenario

In order for client web applications to perform a password reset for unauthenticated users they need to use the Alternate endpoint. A typical use of the Alternate endpoint to provide password reset functionality is described as follows. The password reset client submits a Put request to change the ResetPassword attribute on a Person resource. A management policy rule (MPR) mapped to the ResetPassword attribute triggers a password reset authentication workflow. The user eventually be able to reset her password if she can be authenticated based on the criteria set in that workflow (which typically involves answering a series of security questions). The initial Put request must be made anonymously since the user cannot log in without knowing his or her password.

In order to enable the password reset scenario described in this section, FIM would be configured in the following manner.

  • Each Person resource (or each Person that needs to be able to reset their own password) would need to register for password reset by providing answers to a set of security questions. This is typically done by running the Reset Password workflow (in register mode) for each user, which can be accomplished in the FIM Portal.

  • A FIM administrator must enable the MPR to enable anonymous users to modify the ResetPassword attribute on Person resources (see Management Policy Example). By default, FIM does not grant rights to anonymous users. That same MPR should run the Reset Password workflow.

Comparison to the Resource endpoint

Both the Alternate endpoint and the Resource endpoint of FIM implement the WS-Transfer Extensions for Identity Management Operations specification (WS-Transfer IMO). The Alternate endpoint accepts Get, Delete, and Put requests just like the FIM Resource endpoint except as described here.

  • A client connecting to the Resource endpoint must be an authenticated Active Directory user on the network with a valid Kerberos token. The Alternate endpoint does not require network authentication; however, it requires that the client be hosted on an authenticated Active Directory computer.

  • Get and Delete requests are rejected with a WS-Addressing EndpointUnavailable fault.

  • Target objects in Put requests must be referenced using NT4 aliases (for example, “domain\user”) instead of ObjectID. Both endpoints store this text in the rm:ResourceReferenceProperty that is passed in as a SOAP header in Put requests.

Aside from these differences, the Alternate endpoint is identical to the Resource endpoint. Requests to the alternate endpoint are governed by management policy rules (see Request Processing) as are all requests to FIM web service endpoints. The message formats, the extensions supported and the types of objects that may be modified are identical.

Default Endpoint Address

The default endpoint address is http://localhost:5725/ResourceManagementService/Alternate.


The FIM web service only accepts UTF-8 encoding of strings and SOAP messages. Other encodings will be converted to UTF-8 if possible. If an encoding cannot be converted to UTF-8 then the web service will return wxf:InvalidRepresentationFault (see WS-Transfer Extensions for Identity Management Operations specification).

See Also