Data
Reader small image

You're reading from  Microsoft Forefront Identity Manager 2010 R2 Handbook

Product typeBook
Published inAug 2012
PublisherPackt
ISBN-139781849685368
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Author (1)
Kent Nordstrom
Kent Nordstrom
author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Right arrow

Chapter 7. Self-service Password Reset

By now, we have a functional FIM 2010 R2 able to manage our users and groups, and maybe also some self service. It is now time to look at one of the features of FIM that many customers believe is the most cost saving one.

The feature is Self-service Password Reset (SSPR), which will allow users to reset their own passwords if they have forgotten them, so they will not have to contact a help desk. Through that, we not only save ourselves a help desk call, but also allow the user to be productive again, quicker. This saves money!

In this chapter we will cover:

  • Enabling password management in AD

  • Allowing FIM Service to set passwords

  • Configuring FIM Service

  • The user experience

Anonymous request

What we need to keep in mind when looking at this feature is that the user, as he has forgotten his password, is unable to authenticate properly to FIM. So, the key problem with SSPR is how to authenticate the user.

Let's take an example.

Kent, our contractor, has forgotten his password. He then makes a request anonymously to FIM to reset the password of the user account Kent. Well, FIM won't just do that! So, we tell FIM to try to figure out who the requestor is. We add an Authentication (AuthN) workflow, which gives Kent a chance to prove his identity. If the AuthN workflow proves to FIM that the requestor is indeed the user Kent, it will allow Kent to reset his password.

In FIM 2010 R2, there are two built-in ways for FIM to find out who the user is—we can use either a Question and Answer (QA) gate or a One Time Password (OTP) gate.

QA versus OTP

There are two different ways of doing SSPR in the R2 release—QA (Question and Answer) and OTP (One Time Password).

QA basically...

Enabling password management in AD

The goal for SSPR is, usually, to reset the password of users' account in Active Directory, but the SSPR feature in FIM is not limited to that. It can be used to reset passwords in other CDSs as well.

In order for FIM to change the password of a user in AD (or any other CDS), the account used by FIM needs to have the Reset password permission in AD, or a similar permission in another CDS:

In Management Agents for the target CDS, in this case the AD, we need to check the Enable password management checkbox:

If we then look at the settings, we can make some adjustments, as shown in the following screenshot:

Note

The Unlock locked accounts when resetting passwords option is not enabled by default, but I would think that most implementations of SSPR will use that setting. It might be that the user actually locked his own account before realizing he forgot his password.

The Management Agent for AD is now ready for SSPR.

Allowing FIM Service to set passwords

The FIM Service account will be the account that calls FIM Synchronization Service, and tells it to reset the password in AD. But in order for the FIM Service account to be able to do that, we need to assign it some permissions with the following steps:

  1. We need to add the account to a couple of groups created during installation (see Chapter 3, Installation) of FIM Synchronization Service.

  2. Add the FIM Service account to the FIMSyncBrowse group:

    By default, this is a local group on the FIM Synchronization server; but you might have chosen to use groups in Active Directory instead. This will give FIM Service the ability to read information in FIM Synchronization Service.

  3. To actually be allowed to initiate a password reset, we also need to add the FIM Service account to FIMSyncPasswordSet:

The call from FIM Service to FIM Synchronization Service to do a password reset is made using Windows Management Instrumentation (WMI). This in turn means we need to give...

Configuring FIM Service

SSPR is not enabled by default in FIM Service, so we need to enable some MPRs and configure some sets and workflows.

Security context

I am not sure if you remember the steps when we installed the FIM password registration and reset portals back in Chapter 3. But let me remind you of one critical part in that setup:

During the setup, we decided that the portal should be used for Intranet users. While configuring SSPR, we can configure some settings to only apply to Extranet users. At The Company, we only have one set of password registration and reset portals. But the idea is that you might also want to have a special set for Extranet users. Later, we will refer to this as security context. Security context can either be All or Extranet, where All means it applies to both Intranet and Extranet users.

Password Reset Users Set

The default MPRs around SSPR use a predefined set called Password Reset Users Set . If you look at the criterion for that set, you will find it...

The user experience

So what does this look like for the user? In my little example, the employees are the ones that will be using the SSPR to begin with.

In order to get the best user experience, requirement number one is that the client computer has the FIM client add-ins and extensions installed, as we talked about in Chapter 6, Group Management.

As soon as we enable the MPRs and John (a member of the Password Reset Users set) logs on to his computer, which has the FIM add-ins and extensions installed, it will start up a browser window connecting to the Password Registration portal, which we defined during the installation of the add-ins in Chapter 6.

He could also access the Password Registration portal manually; the experience is similar, but using the add-ins and extensions will likely increase the number of users actually taking time to register, as they will be automatically prompted to do so.

If we used FQDN for the Password Registration portal URL, we should make sure that the URL...

Summary

The SSPR feature is a very nice one, which can save companies that are using passwords a lot of money. In this chapter, we have seen how easy it is to enable and configure the Self-Service Password Reset feature. If you look at http://aka.ms/FIMR2QuickStart, you will see that there is a QuickStart tool to get started with SSPR even quicker.

We need to decide early on whether we want the same solution for both internal and external access to the SSPR feature. If we would like to separate them, we need to install a separate set of SSPR registration and reset portals and modify the FIM Service MPRs and workflows, accordingly.

Talking about external, what if the identities we manage are in the cloud? The next chapter will discuss how FIM can be used when managing cloud identities.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 21
Next Chapter
You have been reading a chapter from
Microsoft Forefront Identity Manager 2010 R2 Handbook
Published in: Aug 2012Publisher: PacktISBN-13: 9781849685368
© 2012 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages