SIA 313 SelfService Password Reset for Active Directory
- Slides: 42
SIA 313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R 2 Mark Wahl, CISA Principal Program Manager Microsoft Corporation
Scenario: FIM self-service password reset Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS, email) User chooses a new password Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction
Key Asks from Tech. Ed 2011 for FIM SSPR Allow reset in more scenarios Broader browser support Mobile device support Meet stricter security requirements Enhanced Q&A authentication gate SMS authentication gate Email authentication gate Improved end user and Portal customization administrator Programmatic registration experiences Streamlined deployment
FIM 2010 R 2 Password Reset Components Example Topology Internet End User Browser Mobile Phone Intranet IIS Reverse Proxy FIM Password Reset Portal FIM Service FIM Password Registration Portal End User Browser FIM Admin FIM Sync Service Windows FIM Password Reset Extensions (optional) Share. Point Internet Explorer AD FIM Portal Email provider (optional) SMS Provider (optional) Other Directories (optional)
Installation of FIM Password Portals Choose to install Password Portals
Installation of FIM Password Portals Specify whether host is extranet accessible
Installation of FIM Password Portals Specify AD user account for Portal
Installation of FIM Password Portals visible in IIS Manager
Post installation configuration Configure SSL Ensure appropriate Kerberos configuration http: //setspn. blogspot. com/search/label/Kerberos http: /social. technet. microsoft. com/wiki/contents/articles/3385. aspx http: //blogs. msdn. com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-forkerberos-authentication-with-iis-7 -0. aspx http: //support. microsoft. com/kb/929650 Proxy configuration (if Internet-facing)
Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish
Parameter Description -Container The organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R 2. -Database. Name The Forefront Identity Manager 2010 R 2 service database name. -Database. Server The Forefront Identity Manager 2010 R 2 Service database server. -Forefront. Identity. Manager. Service. Base. Address The Forefront Identity Manager 2010 R 2 service base URI. -Run. Initial. Load Indicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R 2 will be run automatically or not.
Optionally configure a workflow so that one or more gates apply only to requests from extranet
Gate QA Gate OTP SMS Gate Reach All users Users with SMScapable mobile phones OTP Email Gate Users with email accounts (not the same Exchange server) Secured by Considerations User knowledge Usability of questions with sufficient security Access to mobile phone Requires contract & integration with SMS service provider Access to email Compliance with account organizational security policies
Number of questions • • in the gate shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users
User Experience How to Achieve this Experience User enters mobile phone number and/or email address • Configure gate to be “Read-Write” (default) User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience • Configure gate to be “Read-Write” • Set value of users’ OTPMobile. Phone and/or OTP Email. Address (e. g. , via workflow, custom client) User sees mobile phone number and/or email address, but cannot edit it inline • Configure gate to be “Read Only” • Set value of users’ OTPMobile. Phone and/or OTP Email. Address (e. g. , via sync)
Whether email address during registration is editable by user Length of one-time password Email template for sending the one-time password
One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code
One-Time Password SMS Gate Windows Server FIM Service FIM OTP SMS Gate SMS Provider DLL SMS Provider User’s Cellular Service Provider User’s Cellphone Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location
One-Time Password SMS Gate: API public void Send. Sms( string mobile. Number, string message, Guid request. Id, Dictionary<string, object> delivery. Attributes ) http: //technet. microsoft. com/en-us/library/hh 824692(v=ws. 10). aspx
Purpose Gets template for an authentication workflow Required Parameters Authentication. Workflow. Name Purpose Registers one user for one authentication workflow Required Parameters User. Name, Authentication. Workflow. Name Purpose Unregisters one user from one authentication workflow Required Parameters User. Name, Authentication. Workflow. Name Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false Required Parameters User. Name, Authentication. Workflow. Name
Scenario Migrate to FIM Password Reset without requiring registered users to re-register Goal Register existing users for FIM Password Reset using without user interaction Approach Read users’ password registration data from existing solution Use this data to register users for FIM Password reset with the Register-Authentication. Workflow cmdlet
Scenario Organization has existing business process that collects all data needed for password reset Goal Register existing and new users for FIM Password Reset without user interaction Approach New users • Script to get new/updated data & invoke the Register-Authentication. Workflow cmdlet
Scenario Organization wants users to periodically re-register for FIM Password Reset Goal Cause users to be prompted for re-registration on a defined schedule Approach Implement a process to identify users who are targeted for reregistration Schedule periodic run of a script to deregister targeted users
SSPR Portal Customization Admin can define overrides to password reset portal UI: Theme: font, color, layout Banner graphics User interface text
http: //technet. microsoft. com/en-us/library/jj 134297(v=ws. 10)
<? xml version="1. 0" encoding="utf-8"? > <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2. 0</value> </resheader> <resheader name="reader"> <value>System. Resources. Res. XResource. Reader, System. Windows. Forms, Version=2. 0. 0. 0, Culture=neutral, Public. Key. Token=b 77 a 5 c 561934 e 089 </value> </resheader> <resheader name="writer"> <value>System. Resources. Res. XResource. Writer, System. Windows. Forms, Version=2. 0. 0. 0, Culture=neutral, Public. Key. Token=b 77 a 5 c 561934 e 089 </value> </resheader> <!-- Customizations begin here --> <data name="String. Name" xml: space="preserve"> <value>Customized String Value</value> </data> </root> http: //technet. microsoft. com/en-us/library/jj 134312(v=ws. 10)
Summary of Options in FIM 2010 R 2 User Interface • Windows client logon • Web portals – cross browser, mobile devices Authentication • QA gate with configurable of answers allowed • Challenge sent via SMS or email Configuration • Create MPR, Sets, workflows in FIM Portal • Configuration migration • Quickstart Registration • User self-registration at Portal • Programmatic registration cmdlets Reporting • FIM Portal for recent requests • FIM Reporting (DW) for historical changes
Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction
Learning Connect. Share. Discuss. Microsoft Certification & Training Resources http: //europe. msteched. com www. microsoft. com/learning Tech. Net Resources for IT Professionals Resources for Developers http: //microsoft. com/technet http: //microsoft. com/msdn
Evaluations Submit your evals online http: //europe. msteched. com/sessions
- Cunyportal
- Fim password reset registration
- Sispena login
- Apc reset password
- Detma uionline
- Jci password reset
- Sls learning space
- Come cambio password giustizia?
- What is a frn number
- Adp password reset
- Eic fiu
- Pupil path register
- Www.businessdirect.att.com
- Itslearning sts niedersachsen
- How to solve invalid login credentials
- Egrants password reset
- Lisd password reset
- Sia sia ci vuole la virgola
- Microsoft virtual academy active directory
- Ad disaster recovery
- Event 4672
- Active directory fundamentals
- Ado net active directory
- Nagios active directory monitoring
- Microsoft exchange best practices
- Vittorio bertocci
- Tivoli model two
- Introduction to active directory
- Active directory replication troubleshooting
- Advantages and disadvantages of active directory
- Microsoft privileged access workstations
- Administering active directory
- Soisk
- Active directory alapok
- Controladores de domínio do active directory
- Active directory consolidation best practices
- Lab 5: manage active directory accounts (module 4)
- Active directory fundamentals
- Active directory design document
- Gestione utenti active directory
- Active directory grundlagen
- Active directory site topology
- Active directory two way trust