Implementing the User-Based, Self-Service Password Change Solution - Step-by-Step

  • Article

Applies To: Forefront Identity Manager

This document provides step-by-step instructions for implementing the user-based, self-service password change solution that is described in User-Based, Self-Service Password Change Solution Guide for MIIS 2003 (https://go.microsoft.com/fwlink/?LinkId=82656). You will follow these steps to implement the solution:

  • Step 1: Install Internet Information Services (IIS) and ASP.NET

  • Step 2: Allow ASP.NET in the IIS Environment

  • Step 3: Install the MIIS 2003 Password Management Application

  • Step 4: Configure the Management Agents

  • Step 5: Verify the Solution

Step 1: Install Internet Information Services (IIS) and ASP.NET

In this step, you install Internet Information Services (IIS) and ASP.NET on the computer running MIIS 2003 Service Pack 1 (SP1).

To install IIS and ASP.NET

  1. On the computer running MIIS 2003, in Control Panel, click Add or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. Click Application Server, and then click Details.

  4. Select the ASP.NET and Internet Information Services (IIS) check boxes.

  5. In the Application Server dialog box, click Internet Information Services (IIS), and then click Details.

  6. Select Internet Information Services Manager and World Wide Web Service.

  7. If you plan to use Microsoft® Visual Studio® .NET on this computer to debug your code, select FrontPage 2002 Server Extensions.

  8. In the Internet Information Services (IIS) dialog box, click World Wide Web Service, and then click Details.

  9. Ensure that Active Server Pages and World Wide Web Service are selected in the list that World Wide Web Service returns.

  10. Click OK, and then click Next to install the services.

To verify that IIS is configured to start automatically

  1. On the computer running MIIS 2003, click Start, click Administrative Tools, and then click Services.

  2. Right-click World Wide Publishing Service, and then click Properties.

  3. In the World Wide Web Publishing Service Properties dialog box, ensure that Startup type is set to Automatic.

Step 2: Allow ASP.NET in the IIS Environment

For the user-based, self-service password change application (the Web-based application) to work correctly, you must allow ASP.NET in the Internet Information Services (IIS) environment.

To allow ASP.NET in the IIS environment

  1. On the computer running MIIS 2003, click Start, click Run, type inetmgr, and then click OK.

  2. In IIS Manager, in the console tree, click your computer's name to expand the tree.

  3. Click the Web Service Extensions folder.

  4. In the Web Service Extensions list, right-click ASP.NET v1.1.4322, and then click Allow.

    If ASP.NET v1.1.4322 is not present, you must reinstall IIS.

To verify that ASP.NET is allowed in the IIS environment

  1. On the computer running MIIS 2003, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In IIS Manager, right-click the Web Sites folder, and then click Properties.

  3. In the Properties dialog box, click the Home Directory tab.

  4. Click Configuration, and then click the Mappings tab.

  5. In the Application Extensions box, verify that the .asmx, .aspx, and .asax extensions are installed and that they reference .NET 1.1.432 aspnet_isapi.dll.

If the Web Service Extensions folder in IIS Manager does not include ASP.NET v1.1.4322, you must enable it manually from a command-line prompt.

To enable ASP.NET manually

  1. On the computer running MIIS 2003, click Start, click Run, and then type cmd.

  2. Type CD %WINDR%\Microsoft.net\framework\v1.1.4322.

  3. Run the aspnet_regiis.exe -i-enable command.

Step 3: Install the MIIS 2003 Password Management Application

The Web-based application, MIIS2003PasswordManagement.msi, must be installed for the user-based, self-service password change solution to work correctly. The file for the Web-based application is on the product installation CD for MIIS 2003 Service Pack 1 (SP1). Alternatively, you can get the file from your source for MIIS 2003.

To install the Web-based application

  1. On the installation CD for MIIS 2003, in the Password Management folder, double-click MIIS2003PasswordManagement.msi.

  2. In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

  3. On the Customer Information and Setup Type pages, accept the default settings.

  4. On the Application Pool Identity page, enter the information for the account in the MIISPasswordSet security group that manages MIIS 2003 password set operations.

  5. Verify that everyone who must use the Web-based application is a member of the MIISPasswordSet security group.

    MIISPasswordSet was created when you installed MIIS 2003. Only members of that security group can run the Web-based application.

  6. Click Next, and then click Install on the page that opens.

To verify that the files for the Web-based application installed successfully

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In IIS Manager, click the Web Sites folder, and then click the Default Web Site icon.

  3. Verify that miis is listed under Default Web site.

Step 4: Configure the Management Agents

In this step, you configure the Management Agent for Active Directory and the target management agents for user-based, self-service password change.

To configure the Management Agent for Active Directory for password management

  1. Open MIIS 2003, and then open Identity Manager.

  2. In Identity Manager, click Properties for the Management Agent for Active Directory.

  3. In the Configure Extension dialog box, select Enable password management to enable password synchronization and the Windows Management Instrumentation (WMI) interface for the management agent.

To configure target management agents for password management

  1. In Identity Manager, click Properties for the target management agent.

  2. In Configure Extension, select Enable password management to enable password synchronization and the WMI interface for the management agent.

Step 5: Verify the Solution

To further verify the solution, run the following tests. These tests verify that a password change initiated by a user is propagated to selected target connected data sources that are configured for user-based, self-service password change.

Verify Successful Logon Before Password Change

The following procedures verify that users can successfully log on to two servers with their existing passwords.

To verify successful logon to the source Active Directory domain

  1. From a client computer, log on to the source Active Directory domain with an existing password.

  2. Verify that logon completes successfully.

To verify successful logon to the target connected data source

  1. From a client computer, log on to the target connected data source with an existing password.

  2. Verify that logon completes successfully.

Verify the Configuration of the Web-Based Application

The following procedure verifies that all connected data sources that are configured for password management are in the list of accounts.

To verify that all connected data sources are in the list of accounts

  1. From a client computer, start the Web-based application by typing the following URL in your Internet browser: https://localhost/miis/pc/default.aspx.

  2. Verify that all configured connected data sources are in the list of accounts on the output screen.

Verify Successful Password Change

The following procedure verifies that the user can use the Web-based application to change passwords in connected data sources.

To verify successful password change in the Web-based application

  1. On the intranet Web site configured for the Web-based application, type the user's old password.

  2. Type the user's new password, and then type it again for confirmation.

  3. Select all connected data sources that require password change.

  4. In the Connection dialog box, verify that the Status column displays Success for all connected data sources, including the special connecter.

If the password does not meet the domain policy requirements for Active Directory, the password change fails until the user chooses a password that meets the requirements of the domain policy.

To verify whether the new password meets domain policy requirements

  • In the Web-based application, click History, and then read the message in the Status column.

    If the new password meets the domain password policy requirements the message in the Status column states Success. If the new password violates the domain password policy requirements the message in the Status column states new-password-violate policy.

Verify Successful Logon After Password Change

The following procedures verify that users can successfully log on to the Active Directory domain and that all of the connected data sources that you configured for user-based, self-service password change can use the new password.

To verify successful logon to the source Active Directory domain

  1. From the client computer, log off the source Active Directory domain.

  2. Use the new password to log on to the source Active Directory domain again.

  3. Verify that logon completes successfully.

To verify successful logon to the target connected data source

  1. From the client computer, log off the target connected data source.

  2. Use the new password to log on to the target connected data source again.

  3. Verify that logon completes successfully.

Troubleshoot the Solution

The following troubleshooting tips can help you solve problems you might encounter when you implement the user-based, self-service password change solution.

Problem Locating the Web Page for Password Change

If you cannot locate the Web page for password change using the Web-based application, ensure that IIS is running and that you have allowed ASP.NET in your IIS environment. If IIS is not running, the Web-based application fails to navigate to the Web page for password change.

Problem Changing a Password

If MIIS 2003 did not send passwords to the connected data sources, ensure that the connected data sources are configured for password management. Also, ensure that MIIS 2003 imported and joined user accounts to one another in the metaverse in Active Directory and the target management agents.

Note

For more information about joining user accounts in the metaverse, see the MIIS 2003 Technical Reference (https://go.microsoft.com/fwlink/?LinkID=38680).

Because Active Directory is the special connector, user-based, self-service password change fails if the data source does not have a connector to Active Directory.

If the attempt to change the password on Active Directory or Windows NT Directory fails, MIIS 2003 does not process other password change requests.

See Also

Other Resources

User-Based, Self-Service Password Change Solution Guide for MIIS 2003