User-Based, Self-Service Password Change Solution Guide for MIIS 2003
Applies To: Forefront Identity Manager
The User-Based, Self-Service Password Change Solution Guide for MIIS 2003 provides instructions for planning and implementing a user-based, self-service password change solution in an enterprise environment using Microsoft® Identity Integration Server 2003 (MIIS 2003).
The user-based, self-service password change solution for MIIS 2003 uses a Web-based application and a Windows Management Instrumentation (WMI) interface for changing passwords. It allows users to change their passwords from a list of configured, connected data stores, and have those password changes pushed to those connected data sources in near real time.
Note
For specific instructions for implementing the user-based, self-service password change solution presented in this Guide, see Implementing the User-Based, Self-Service Password Change Solution – Step-by-Step (https://go.microsoft.com/fwlink/?LinkID=82657).
What This Guide Covers
This Guide gives users in an enterprise environment a Web-based application to manage their passwords. Using this application, they can synchronize their passwords across multiple connected data stores. This Guide describes how to design, implement, and configure a user-based, self-service password change solution. After you have read this Guide and implemented its solution, you will be able to deploy a user-based, self-service password change solution in your enterprise environment.
This Guide does not cover installing or configuring MIIS 2003 or using it at an operational level. It also does not cover password management in environments other than Active Directory. For general information about installation, configuration, and operation of MIIS 2003, see Microsoft Identity Integration Server 2003 Scenarios at (https://go.microsoft.com/fwlink/?LinkId=34336).
This Guide has a companion document, Implementing the User-Based, Self-Service Password Change Solution – Step-by-Step (https://go.microsoft.com/fwlink/?LinkID=82657), which provides detailed instructions for implementing this user-based, self-service password change solution.
Reader Prerequisites
This Guide assumes that you are familiar with configuring and administering an Active Directory domain controller and configuring management agents in MIIS 2003. It is intended for users with some experience configuring MIIS 2003 and assumes that you are familiar with the MIIS 2003 Technical Reference (https://go.microsoft.com/fwlink/?LinkId=38680).
The Guide is intended for IT planners, system architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan and deploy user-based, self-service password change solutions.
Business Challenges of Password Management
Businesses face many password management challenges. Implementing a password management solution is necessary in many corporate environments because users have to authenticate to the network in a secure manner.
Passwords are the most common authentication technique. From a deployment perspective, passwords are also the simplest and cheapest authentication technique.
With this in mind, having a poor password management policy in an enterprise environment can compromise enterprise security and make the enterprise vulnerable to outside attack from malicious threats. In organizations with poor password management practices, one or more of the following issues is typically present:
Weak and easily breakable passwords.
Passwords that users are not required to change frequently enough, which means that attackers can compromise the passwords through force and cryptographic attacks.
Passwords recorded on paper, which can be easily compromised.
Repeated passwords that are not synchronized, which can result in confusion and lost productivity.
Numerous calls to the Help desk for password reset, which can result in increased operational costs.
Too many passwords, which can result in password overload. With so many passwords for users to remember, they have difficult managing passwords securely.
To meet these challenges, businesses must find an appropriate solution to address password management requirements.
Business Solutions for Password Management
Businesses can adopt various solutions to solve password management challenges. For example, business can require users to change their passwords by logging on to each connected data source and changing passwords individually. Although this is a typical solution, users can easily become confused and frustrated if they cannot remember which password they used for any of the connected data sources.
Alternatively, businesses can ask users to call the Help desk when they need to reset a password on a connected data source. This solution is costly, however, because users must call each time they change a password. Also, this solution puts a heavy burden on the Help desk personnel who must answer each call.
Finally, businesses can provide users with a Web-based application, such as the one in MIIS 2003, which allows users to log on to a Web-based application, and then change their passwords themselves. The application pushes the new passwords to all the connected data sources in real time. This solution is an even-driven process that makes it possible for the user to remember a single password for use on multiple connected data sources.
The User-Based, Self-Service Password Change Solution for MIIS 2003
The user-based, self-service password change solution for MIIS 2003 uses a Web-based application and a WMI interface for changing passwords.
Note
MIIS 2003 provides another Web-based application, Help Desk Password Reset, which is not discussed in this Solution Guide.
The Web-based application allows users to change their passwords from their desks or from a centralized location established for password management operations.
The following illustration shows the process for implementing user-based, self-service password change. A description of the process follows the illustration.
.gif "User-Based, Self-Service Password Management")
The user logs onto a computer running a Microsoft Windows® operating system.
The user navigates to the intranet Web site that is used for user-based, self-service password change.
The Web site sends the user's logon credentials to MIIS 2003. MIIS 2003 validates the user’s credentials against the user's credentials in Active Directory.
MIIS 2003 locates the connector space object for the user's Active Directory account and the linked metaverse object representing that user.
The WMI interface in MIIS 2003 returns a list of accounts to the password change Web site. The list of accounts contains the names of connectors in connector spaces that you have configured for password management.
You can use the configuration file, PasswordWebAppOptions.xml, to customize the list of connected data sources and accounts that MIIS 2003 returns to the Web-based application. PasswordWebAppOptions.xml, which is installed with the Web-based application, is located in C:\Windows\system32\inetserv\Microsoft Identity Integration Server. Configuring this file is optional and is not required to implement this user-based, self-service password change solution.
From the intranet Web site, the user selects the accounts on which to change passwords. The Active Directory account is unavailable because it is the special connector account. The special connector account defines the password policy for all password change requests. For further validation, the intranet Web site prompts the user for the old Active Directory password, and then prompts the user for a new password for each of the selected accounts. The Web-based application makes a WMI call to MIIS 2003 requesting that passwords be changed for each account the user selected from the returned list of accounts.
MIIS 2003 validates the new password against the password policy requirements for the Active Directory domain.
If the password meets the password policy requirements, MIIS 2003 processes the password change request for Active Directory and all the selected connected data stores.
Before You Implement the Solution
To successfully implement a user-based, self-service password change solution in your enterprise environment, follow these guidelines:
Identify the user account that represents the authoritative data source, referred to as the special connector account.
Control user access to password information by using the two security groups MIIS 2003 creates for password management.
Follow security best practices, which can enhance the security of your enterprise environment. For more information, see Security Considerations for Automated Password Synchronization later in this document.
Special Connector Account
A special connector account is the account that corresponds to the supplied Active Directory credentials. MIIS 2003 always attempts a password change operation on the special connector first. Because the Active Directory account is the special connector account, the user-based, self-service password change solution requires you to have Active Directory in your environment. Active Directory is the authoritative source for all password change operation in this solution.
You must configure Active Directory or the Windows NT directory to have the strictest password policy of all the systems included in the password management operations. By default, if the password change operation fails for the special connector, the Web-based application does not attempt to change the passwords for the accounts in the other connected data sources.
Security Groups for User-Based, Self-Service Password Change
During installation, MIIS 2003 creates two security groups that support user-based, self-service password change operations:
MIISBrowse – Members of this group have permission to gather information about a user accounts when doing search operations with WMI queries. You can include others who are not administrators in this group, if they do search operations with WMI queries.
MIISPasswordSet – Members of this group have permission to perform account search and password change operations using the password management interfaces with WMI.
Implementing the User-Based, Self-Service Password Change Solution
The user-based, self-service password change solution allows users to select the connected data sources on which they want their passwords changed from a Web-based page on an intranet.
Important
This Guide presents a password change solution, not a password set or reset solution. To change passwords, users have to know their previous passwords, but they do not have to know their previous passwords to set or reset passwords. A set or reset password operation requires a higher level of permission than a password change operation does. This is typically why users must call the Help desk to set or reset their passwords.
The process for implementing this user-based, self-service password change solution is as follows:
Install Internet Information Services (IIS) and ASP.NET.
Allow ASP.NET in the IIS environment.
Install the MIIS 2003 password management file, MIIS2003PasswordManagement.msi.
Configure the management agents.
The following topics provide an overview of the user-based, self-service password change process. For step-by-step instructions for implementing this solution, see Implementing the User-Based, Self-Service Password Change Solution – Step-by-Step (https://go.microsoft.com/fwlink/?LinkID=82657).
Installing IIS and ASP.NET
On the server running MIIS 2003, install IIS and ASP.NET. You install IIS on the server running MIIS 2003 because the WMI call is made into a local computer.
When you install IIS, you must select the Internet Service Manager, Active Server Pages, and World Wide Web Service options on the Details page of the IIS installation wizard.
Allowing ASP.NET in the IIS Environment
Because the user-based, self-service password change solution is built on ASP.NET, you must allow ASP.NET in the IIS environment for the intranet Web site to operate correctly. To allow ASP.NET in the IIS environment, you configure it in IIS Manager.
Installing the MIIS 2003 Password Management File
To use the Web-based application, you must install the MIIS 2003 password management file, MIIS2003PasswordManagment.msi, on the server running MIIS 2003. MIIS2003PasswordManagment.msi is located on the MIIS 2003 installation CD.
When installed,MIIS2003PasswordManagement.msi copies all the necessary files, including the source for the self-service password change project, to the IIS configuration folder. Copying these files creates the user-based, self-service password change intranet Web site. Because MIIS2003PasswordManagement.msi copies the source for the self-service password change project to the configuration folder, you can use Visual Studio 2003 to customize the intranet Web application. Doing so is optional.
In addition, MIIS2003PasswordManagement.msi installs the binary files into a virtual directory in the default Web site configuration in IIS manager for the server running MIIS 2003. It then configures the Application Pool with a security account context, which must be in the MIISBrowse and MIISPasswordSet groups, and secures the intranet Web site.
The default URL for the intranet Web site is https://localhost/miis/pc/default.aspx. Users in your environment can manage their password change requests from this Web site.
Configuring the Management Agents
To configure the Management Agent for Active Directory and the target management agents, you must know which management agents support user-based, self-service password change by default and which ones require a password extension to support user-based, self-service password change. A password extension is a custom DLL or class library that you create using the Microsoft .NET Framework.
This user-based, self-service password change solution does not require that you use password extensions. If you would like to customize your password management environment or use a management agent that does not support password change operations by default, see Microsoft Identity Integration Server 2003 Developer Reference (https://go.microsoft.com/fwlink/?LinkId=77629).
Default Support for User-Based, Self-Service Password Management
Management agents in MIIS 2003 provide a variety of password management functionality. For example, they provide directory services that are call-based, and they support password change and set operations by default.
The following management agents for directory services support both password set and password change operations:
Management Agent for Active Directory
Management Agent for Active Directory Application Mode (ADAM)
Management Agent for Windows NT 4.0
The following management agents for directory services support only password set operations:
Management Agent for Lotus Notes
Management Agent for Sun and Netscape Directory Servers
Password Extension Support for User-Based, Self-Service Password Management
You can create rules extensions for file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default. You implement rules extensions as a Microsoft .NET Framework class library or as a dynamic-link library (DLL). The DLL or class library is called whenever MIIS 2003 invokes a password change or set call for any of these management agents. You configure password extensions for these management agents in Identity Manager, which is an administrative interface for MIIS 2003.
Note
This user-based, self-service password change solution does not require you to use password extensions. The following information is provided for those who implement a user-based, self-service password change solution for management agents that do not support password change operations by default.
The following management agents use a password extension to support password management:
Management Agent for Attribute-Value Pair Text file
Management Agent for Delimited Text File
Management Agent for Directory Service Markup Language (DSML)
Management Agent for Extensible Connectivity
Management Agent for Fixed-Width Text file
Management Agent for IBM DB2
Management Agent for LDAP Data Interchange Format (LDIF)
Management Agent for SQL Server
Management Agent for Oracle Database
Configuring the Management Agent for Active Directory
You configure the Management Agent for Active Directory in Identity Manager. You enable password management in the Management Agent for Active Directory.
You must enable password management on the Management Agent for Active Directory because MIIS 2003 always attempts the password change operation on the Active Directory account first. By attempting to make the password change there first, MIIS 2003 verifies that the password meets the minimum requirements of your domain's password policy and that the user supplied the correct old password. If the old password is not correct, MIIS 2003 does not attempt the password change operation on the remaining accounts.
Configuring the Target Management Agents
You configure the target management agents for user-based, self-service password management in the same manner as you configured the Management Agent for Active Directory.
When you have configured the target management agents to enable password management, they can receive passwords changes, if the new password requested by the user meets the requirements of your domain's password policy.
Configuring PasswordWebAppOptions.xml (Optional)
After you install MIIS2003PasswordManagement.msi and configure the management agents, you can configure PasswordWebAppOptions.xml. Doing so is optional. The file is located in C:\Windows\system32\inetserv\Microsoft Identity Integration Server.
You can use PasswordWebAppOptions.xml to configure the account list that the WMI interface returns to the Web-based application. You configure MIIS2003PasswordManagement.msi to show connections where the server has shut down and to set other parameters that modify the behavior of the Web-based application.
PasswordWebAppOptions.xml has three sections of code: <admin-app>, <user-app>, and <object-types>. The first section, <admin-app>, contains the Help desk application configuration options. You can ignore this section because the Help desk application, Help Desk Password Reset, is not addressed in this Guide.
The second section of code, <user-app>, contains the user-based, self-service password management application configuration options:
<user-app>
<allow-non-secure>0</allow-non-secure>
<show-non-secure>0</show-non-secure>
<show-server-down>0</show-server-down>
<show-connectors>0</show-connectors>
<allow-if-partial>0</allow-if-partial>
<allow-set-if-change-fails>0</allow-set-if-change-fails>
</user-app>
The following table shows the options in the <user-app> code that define the behavior of the Web-based application.
| Option | Description |
|---|---|
Allow-non-secure |
Allows an application to attempt setting passwords through a connection that is not secure. If this option is false, and if any connections that are not secure are shown, their check boxes are unavailable. If this option is true, and the option to show connections that are not secure is false, then this option has no effect. |
Show-non-secure |
Determines whether to show connections that are not secure in the list of accounts. |
Show-server-down |
Determines whether to show connections where the server has shut down in the list of accounts. |
Show-connectors |
Determines whether to show accounts in addition to the one that was found from the initial search . If this option is false, it shows only the special connector found and no others. This option overrides the show-non-secure and show-server-down options. |
Allow-if-partial |
Continues updating passwords even if this option fails on the special connector. |
Allow-set-if-change-fails |
For Active Directory and Microsoft Windows NT 4.0, MIIS 2003 attempts a password change operation by default. This requires the correct old password. If the user has multiple Active Directory or Windows NT 4.0 accounts that with different passwords, the change operation fails. If the change operation fails with this option enabled, , MIIS 2003 attempts to set the password. Note The change operation must still succeed for the special connector in order for the password change request to be processed. |
The third section of code, <object-types>, defines which management agents support password management and which object types contain user accounts.
Note
We recommend that you do not remove or change any of the default settings in the <object-types> section of code because they contain information about which management agents MIIS 2003 supports. Attempting to modify this section can have unwanted results when you implement your user-based, self-service password management solution. The configurations options table later in this topic explains the configurable behaviors for each configuration option in PasswordWebAppOptions.xml.
- <object-types>
- <object-type>
<ma-type>Active Directory</ma-type>
<object>user</object>
</object-type>
- <object-type>
<ma-type>Active Directory Application Mode (ADAM)</ma-type>
<object>iNetOrgPerson</object>
</object-type>
- <object-type>
<ma-type> Active Directory Application Mode (ADAM)</ma-type>
<object>user</object>
</object-type>
- <object-type>
<ma-type>Windows NT 4.0</ma-type>
<object>user</object>
</object-type>
- <object-type>
<ma-type>Sun and Netscape directory servers</ma-type>
<object>iNetOrgPerson</object>
</object-type>
- <object-type>
<ma-type>Lotus Notes</ma-type>
<object>Person</object>
..<object-type>
- <object-type>
<ma-type>Novell eDirectory</ma-type>
<object>person</object>
</object-type>
- <object-type>
<ma-type>Novell eDirectory</ma-type>
<object>organizationalPerson</object>
</object-type>
- <object-type>
<ma-type>Novell eDirectory</ma-type>
<object>inetOrgPerson</object>
</object-type>
</object-types>
The <object-types> section contains a list of those objects that are valid password objects in MIIS 2003. For example, by not including any Active Directory contact objects that contain contact information for users that are found as connector objects, MIIS 2003 attempts no password operation on those contact objects. The order of this list determines the order in which MIIS 2003 updates the passwords and the order in which they appear in the Web-based application.
The following table shows the options in the <object-types> section of code that define the supported management agent and object types. It is recommended that you use the default settings for this section of the PasswordWebAppOptions.xml file.
| Option | Description |
|---|---|
object-types |
Starts the section where object types are listed. |
object-type |
Starts the section where the information for one object type is listed. |
object |
Names the object type for which password operations are provided, for example, user. |
ma-type |
Names the specific management agent, for example, the Management Agent for Active Directory. |
Customizing the Web-based Application (Optional)
The user-based, self-service Web-based application has three primary code modules that you can use to extend the functionality of the user-based, self-service, password change solution: a common module, a Help desk module, and a password set module. All of these modules are .NET assemblies with source code located in C:\Inetpub\wwwroot\miis. An example of a configurable option using the source code is when a search fails, you can determine what action to take or what message to display.
The following table shows the Web-based application functions that have code that you can modify or extend by writing additional code.
| Function | Description |
|---|---|
ConnectorCompleted |
Called after a password set or change operation for each connector on which an operation was attempted. Allows additional processing after the connector is processed. |
GetAccountDisplayString |
Called for each connector found. Returns the string that is displayed for account name. |
GetConnectionDisplayString |
Called for each connector found. Returns the string that is displayed in the ConnectionStatus column for each account. |
GetOverallStatusString |
Determines the overall status string that is shown. |
GetStatusDisplayString |
Called for each connector found. Returns the string that is displayed in the Status column for each account. |
RequestCompleted |
Called after the set of connectors for which password management operations were performed is called. Allows additional processing after the entire request is complete. |
ShouldAccountBeChecked |
Called for each connector found. Determines whether the connector status box is checked. |
ShouldAccountBeDisabled |
Called for each connector found. Determines whether the connector status box is disabled. |
ShouldShowOnTable |
Called for each connector found. Determines whether the connector is visible on the Select Accounts page of the intranet Web site. |
Security Considerations for User-Based, Self-Service Password Change
MIIS 2003 has features that address security issues that can occur when you implement a user-based, self-service password change solution. Below are best practices for security in MIIS 2003 that can enhance the security of your corporate environment. For more information about securing your MIIS 2003 environment, see MIIS Best Practices for Security in MIIS 2003 Help.
Ensure Secure Communication Between the Management Agents and the Connected Data Sources
The security that is used to pass password changes from MIIS 2003 to the connected data sources is specific to each management agent. For example, communication between Active Directory and MIIS 2003 uses Kerberos encryption to set the password in Active Directory; other management agents use sign and seal or Secure Sockets Layer (SSL) to encrypt traffic between MIIS 2003 and the target connected data sources. Security options for management agents can be configured when configuring the management agent properties in MIIS 2003.
Use HTTPS to Deploy the Web-Based Application
You should deploy the Web-based application for user-based, self-service password change from an intranet site that uses the secure protocol HTTPS rather than HTTP. Using HTTPS ensures that communication between client workstations and the Web server is secure.
Secure the Web Server
Use standard security measures to secure the server running IIS. For user-based, self-service password change, you should install only the recommended IIS Web service components on the server running IIS in your environment. Enable only those Web service extensions that the Web sites and applications running on that server require. This approach reduces the attack surface of the server running IIS. For more information about securing Web-based servers, see chapter 9 of the Windows Server 2003 Security Guide, "The Web Server Role" (https://go.microsoft.com/fwlink/?LinkId=77660).
Assign Permissions to Groups Rather Than to Users
Secure systems assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception. Use Deny permissions for special cases. For example, use Deny permissions to exclude a subset of a group that has Allowed permissions or to exclude one user or group with special permission when you have already granted full permission to a user or group.
Lock Down the MIIS 2003 Service Account
MIIS 2003 runs in the security context of a specific account. Because the account has access to all MIIS 2003 resources, you should lock down this account with the following restrictions:
Deny users the right to log on as part of a batch job.
Deny users the right to log on locally.
Deny users the right to log on using Terminal Services.
Deny users the right to access this computer from the network.
Note
For more information about setting restrictions on accounts in Windows Server 2003, Enterprise Edition, see Windows Server 2003, Enterprise Edition Help.
Place the Server Running MIIS 2003 Behind a Firewall
Ensure that the network context for the server running MIIS 2003 is behind a firewall. To do this, use a tunnel from the server running MIIS 2003 to connect to resources such as domain controllers, if they are not on the same side of the firewall. For more information about security and Windows Server 2003, Enterprise Edition, see Windows Server 2003, Enterprise Edition Help.
Resource Requirements
It is recommended that you implement the procedures in this user-based, self-service password change solution in a test environment prior to deploying them in your production environment. To perform the procedures in this Guide, your test environment should have the following characteristics:
At least one Active Directory domain controller running Microsoft Windows Server 2003 or Windows Server 2000.
A member server running Windows Server 2003, Enterprise Edition and MIIS 2003 with Service Pack 1 (SP1).
MIIS 2003 should have at least one Management Agent for Active Directory and another management agent that is configured and successfully synchronizing objects. The MIIS 2003 service account must be a domain account.
A client workstation with rights to log on to the connected data sources to verify user-based, self-service password management.
No firewall between the servers.
If a firewall is enabled, you must open a range of ports to allow Remote Procedure Call (RPC) communication between the domain controller and the server with MIIS 2003. For more information, see MIIS 2003 Technical Reference (https://go.microsoft.com/fwlink/?LinkId=38680).
MIIS 2003 installation media that contains the password management files for the user-based, self-service password change solution.
Summary
This Guide describes a user-based, self-service password change solution based on MIIS 2003. It provides an overview of how user-based, self-service password change works, its fundamental components, and the processes necessary to implement the solution in your enterprise environment.
It is important that you implement this solution in a test environment before you deploy it into your production environment.
For specific instructions for implementing the user-based, self-service password change solution presented in this Guide, see Implementing the User-Based, Self-Service Password Change Solution – Step-by-Step (https://go.microsoft.com/fwlink/?LinkID=82657).
See Also
Other Resources
Implementing the User-Based, Self-Service Password Change Solution – Step-by-Step