Data
Reader small image

You're reading from  Microsoft Identity Manager 2016 Handbook

Product typeBook
Published inJul 2016
PublisherPackt
ISBN-139781785283925
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Authors (2):
David Steadman
David Steadman
author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

Jeff Ingalls
Jeff Ingalls
author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

View More author details
Right arrow

Chapter 9. Password Management

By now, we have a functional MIM system that is able to manage our users, groups, and do a little self-service. It is now time to look at one of the features of MIM that many customers believe is the most cost saving one.

The feature is self-service password reset (SSPR), and it allows users to reset their own passwords, which helps in minimizing the frustration, and the time and money spent in contacting an IT help desk. We save ourselves a helpdesk call, and allow the user to be productive again, quicker. A big win for everyone!

In this chapter, we will cover the following topics:

  • SSPR background

  • Installing SSPR

  • Enabling password management in AD

  • Allowing MIM Service to set passwords

  • Configuring MIM Service

  • The SSPR user experience

  • SSPR lockout

  • Password synchronization

  • Password Change Notification Service

SSPR background

Let's assume Amber Adams has forgotten her AD password, and therefore, she is unable to authenticate properly to MIM. So, the solution that SSPR provides is to validate (authorize) the user.

Using SSPR, Amber can make an anonymous request for MIM to reset the password of the user account AAdams. In order for that to happen, we tell MIM to try to figure out who the requestor is. We add an authentication (AuthN) workflow, which gives Amber a chance to prove her identity. If the AuthN workflow proves to MIM that the requestor is indeed the user AAdams, it will allow Amber to reset her password.

Two built-in ways to allow people to verify their identity are the Question and Answer (QA) gate and the One-Time Password (OTP) gate. If you have Azure, you can configure multi-factor authentication to use MIM's new Phone gate too.

QA versus OTP

There are two different ways of doing SSPR—Question and Answer and One-Time Password. QA means that a user can reset their password by giving the...

Installing self-service password reset

SSPR has two major components: the password registration portal, where answers to questions are registered by users, and the password reset portal, where those same answers need to be supplied in order for MIM to reset the password. We will install SSPR on a new server like many medium to large organizations do, although you can install the SSPR components on the same MIM portal server that we used in the previous chapters:

  1. Run the MIM Service and portal installation, select the MIM Password Registration and the MIM Password Reset Portal components, and click on Next:

  2. The next dialog box requires an account name, password, hostname, and port for the registration portal. We will use the service account TFC\SVC-MIMSSPR, the registration host name register.thefinancialcompany.net, with the standard port 80. Click on Next:

  3. You will receive a message that the deployment is not secure in its current configuration—essentially, telling us that we should use SSL...

Enabling password management in AD

The goal for SSPR is, usually, to reset the password of users' accounts in Active Directory, but the SSPR feature in MIM is not limited to Active Directory, and can be used to reset passwords in other connect data sources (CDS) as well.

In order for MIM to change the password of a user in AD (or any other CDS), the account used by MIM (svc-adma in our example) needs to have the reset password permission in AD, or a similar permission in another CDS:

  1. In the Management Agent for the target CDS, in this case the AD, we need to check the Enable password management checkbox:

  2. If we then look at the settings, we can make some adjustments, as shown in the following screenshot:

    Note

    The Unlock locked accounts when resetting passwords option is not enabled by default. It is up to your security team to determine if this setting is right for you. The authors have seen organizations that have this setting enabled as well as disabled.

The Management Agent for AD is now ready...

Allowing MIM Service to set passwords

The MIM Service account will be the account that calls the MIM Synchronization service, and tells it to reset the password in AD. But in order for the MIM Service account to be able to do that, we need to assign it some permissions with the following steps:

  1. We need to add the account to a couple of groups created during installation of the MIM Synchronization service.

  2. Add the MIM Service account to the MIMSyncBrowse group, as shown in the following screenshot:

    Note

    By default, this is a local group on the MIM Synchronization server, but you might have chosen to use groups in Active Directory instead, and is recommended. This will give MIM Service the ability to read information in the MIM Synchronization service.

  3. To be allowed to initiate a password reset, we also need to add the MIM Service account to MIMSyncPasswordSet, as shown in the following screenshot:

    The call from MIM Service to the MIM Synchronization service to do a password reset is made using...

Configuring MIM Service

SSPR is not enabled by default in MIM Service, so we need to enable some MPRs and configure some sets and workflows. The next section will outline what is needed to get this working.

Password Reset Users Set

The default MPRs around SSPR use a predefined set called Password Reset Users Set. If you look at the criterion for that set, you will find that it applies to all users:

Allowing SSPR for all users is usually more extreme than most organizations allow. In our situation, we will allow SSPR for all employees:

We have now defined users for whom we would like to use the SSPR feature.

Password Reset AuthN workflow

As we discussed earlier, we need to have at least one authentication workflow in our SSPR implementation. The default one is called Password Reset AuthN Workflow. The default activity used in this workflow to authenticate the users is the QA gate:

There are also some activities to support the SSPR feature; we will look at those now:

  • The Password Authentication Challenge...

The SSPR user experience

The best user experience is installing the MIM client add-ins and extensions. As soon as we enable the MPRs, and a user who is a member of the Password Reset Users set logs onto their computer (which also has the MIM add-ins and extensions installed), a browser window connecting to the Password Registration portal will open.

If you choose not to install the client add-ins, users can access the Password Registration portal manually. The experience is similar, but using the add-ins and extensions will probably increase the number of users actually taking time to register, as they will be automatically prompted to do so.

If we used the FQDN for the Password Registration portal URL, we should make sure that the URL is in the local intranet zone of the client so that IE can use Integrated Authentication. To get a good experience with MIM, I recommend adding *.thefinancialcompany.net to the local intranet zone. Like some of the other windows, the password registration window...

SSPR lockout

Look back at Password Reset AuthN Workflow in the Lockout Gate settings where the lockout duration, lockout threshold, and number of times until permanent lockout are set:

The settings specify that the workflow can fail 3 times. The user can answer one or all of the questions incorrectly, and have the workflow fail once (one failure count):

In our settings, if the workflow fails three times for the same account, the user is temporarily locked out of the SSPR for 15 minutes. This is a service lockout, and not an Active Directory lockout:

After 15 minutes, the user can attempt to answer their questions again. Failing the workflow two more times would equate to the permanent lockout threshold setting of three, and the user would receive the following error when attempting again:

At this point, the only way the user would be able to use SSPR again would be to have someone unlock the SSPR account in MIM. To do this, perform the following steps:

  1. Go to the MIM portal, and click on Administration...

Password synchronization

Another optional MIM feature is password synchronization. Password synchronization allows you to synchronize passwords between connected systems that have appropriately configured Management Agents. Password synchronization does not require run profiles, because the password is intercepted at the configured source system and passed to the configured target system. There are some key takeaways you should know about password synchronization.

First, there are three types of Management Agent:

  • Those that support password synchronization by default

  • Those that need a custom DLL for password synchronization

  • Those that do not support password synchronization

Active Directory, Active Directory Lightweight Directory Services, IBM Directory Server, and Lotus Notes are some of the MAs that support password synchronization without the need to write any special code—there are a few configuration items within the MA that are needed, and you are done. The SQL Management Agent is an example...

Password Change Notification Service

If you want to use Active Directory as a password reset source, you will need to install Password Change Notification Service. PCNS is a special service you will install on all domain controllers for that source AD domain. PCNS safely intercepts the password change that the domain controller receives, and sends it over securely to the MIM Synchronization service, where MIM will investigate which MAs are configured as targets and send over the password.

Installing PCNS is a six-step process, which is as follows:

  1. Extending the AD schema.

  2. Installing the PCNS service.

  3. Configuring the MIM SPN.

  4. Configuring PCNS.

  5. Configuring the MAs.

  6. Enabling password synchronization.

We have already talked about the last two steps, so we will walk you through extending the AD schema, installing the service on the domain controllers, configuring the MIM SPN, and configuring PCNS. Follow these steps:

  1. To extend the AD schema, log in with an account that is a member of schema admins and...

Summary

In this chapter, we demonstrated two optional MIM components: SSPR and password synchronization. We showed you how to enable and configure the SSPR feature and password synchronization. Before you set up SSPR, make a decision whether you want the same solution for both internal and external access to the SSPR feature. If you would like to separate SSPR access, you need to install a separate set of SSPR registration and reset portals, and modify the MIM Service MPRs and workflows, accordingly.

In the next chapter, we will be looking at certificate management and its installation and configuration.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 15 of 22
Next Chapter
You have been reading a chapter from
Microsoft Identity Manager 2016 Handbook
Published in: Jul 2016Publisher: PacktISBN-13: 9781785283925
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
David Steadman

David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
Read more about David Steadman

author image
Jeff Ingalls

Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at jeff@ingallsdesigns.com.
Read more about Jeff Ingalls

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages