Understanding Password Reset

Applies To: Forefront Identity Manager 2010

Microsoft Forefront™ Identity Manager 2010 (FIM 2010) includes a password reset and registration feature. By using this feature, users can reset their passwords from the Microsoft Windows® logon screen after they complete an authentication process to verify their identities.

Getting Support

If you have questions regarding the content of this document or if you have general feedback that you want to discuss, post a message to the Microsoft Forefront Identity Manager Discussion Forum (https://go.microsoft.com/fwlink/?LinkId=163230).

The following video about FIM Password Reset is also available on TechNet https://technet.microsoft.com/en-us/edge/using-the-password-reset-deployment-feature-in-forefront-identity-manager-fim-2010.aspx.

Introduction to Password Management in FIM 2010

As users become increasingly more mobile, the need to control password management inside a corporate network environment without incurring increasing help desk costs is important. FIM provides an easily accessible web portal that lets users register themselves, and authenticate and reset their passwords from:

• Domain-joined computers on an intranet

• A domain-joined kiosk computer on an intranet

This document discusses how the password management process works, and the requirements involved.

How Password Management Works

Password management in FIM 2010 consists of two components:

• The FIM Password Reset Portal

• The FIM Password Reset client, which is installed as part of the FIM Add-ins and Extensions.

To use password management, users must first register, which involves creating answers to a series of security questions. To reset their password, users will then be presented with these questions and they must provide the correct answers.

Password Registration

The password registration process involves these steps:

• The user selects Register for password reset in the FIM Portal, which starts the password reset client.

• The client displays a set of authentication challenge questions to the end user and gathers the end user response data, and then submits the response data to the FIM server.

• The client returns a success or failure confirmation message to the user.

Initiating the request

When the user requests to register for password reset, the password reset client starts. The user enters their credentials, and the request is sent to the FIM server, which verifies that the user is authorized to participate in password registration and, if successful, returns the Question and Answer activity (also known as a gate) that the client displays to the end user.

Gathering the end user responses

The number and wording of the questions in the Question and Answer gate is configured in the workflow activity by the administrator, who can specify the following:

• How many questions are created

• How many questions are displayed during registration

• How many questions are required to be answered for registration

• How many questions are presented during the reset process

• How many questions must be answered correctly during the reset process

When the user has answered and submitted the questions, the registration data will be verified for completeness and validity, and if successful, written to the FIM Service database. In the case of multiple Question and Answer gates, if the first gate is validated successfully, then the subsequent gates will be presented and processed as above.

If at any point, incomplete or invalid responses are entered, an appropriate error message will be returned to the user.

Confirming the request

When all the gates have been successfully completed and verified, a confirmation is displayed to the client.

Password Reset

When a user has registered successfully, he or she can then use the Password Reset Portal to reset a forgotten password. The password reset process involves the following steps:

• The user selects Reset in the Password Reset Portal or on the Windows logon screen, and the client initiates the request to reset the password.

• The client displays the authentication challenge questions that the user configured during registration, and then it submits the user's response data to the FIM Server.

• If a Lockout Gate activity has been configured by the administrator, a specified number of incorrect attempts may prevent the user from attempting the password reset for a specified period of time or necessitate calling the help desk.

• Upon successful verification, the application displays the client user interface to create a new password and submits the user's response.

• The application returns a success or failure confirmation to the user.

Initiating the request

When the user requests to reset their password, the Password Reset Portal page is displayed to the user, displaying the challenge questions previously configured in the Question and Answer gate, which the Password Reset Registration Web Application displays to the end user.

Verifying the challenge responses

The challenge questions to which the user supplied answers during registration are displayed to the user. The number of questions displayed and the number of correct answers required depend on how the administrator configured the Question and Answer gate.

When the user has answered and submitted the questions, the response data will be validated. In the case of multiple Question and Answer gates, if the first gate is validated successfully, the subsequent gates will be presented and processed as above.

Lockout Gates

A Lockout Gate is an activity that can be attached to an Authorization Workflow. It is used to determine how many failed password reset attempts can be made before the user is locked out temporarily or permanently. Within a Lockout Gate activity, the administrator can modify:

• The Lockout Threshold, which is the number of times that a user can fail to answer the minimum number of answers correctly.

• How long the user is locked out after each Lockout Threshold is reached.

• The number of Lockout Thresholds that can occur before the user is permanently locked out.

Resetting the password

When all the Question and Answer gates have been successfully completed and verified, the password reset page is displayed to the user, and the new password entered by the user is submitted.

Confirming the request

When the new password has been verified, a confirmation is displayed to the user.

Requirements for Password Reset Management in FIM 2010

Required Ports

If there is a firewall between the server running FIM and the server running Active Directory Domain Services (AD DS), the following ports must be opened in the firewall between the FIM Synchronization Server and the AD DS domain controller:

• TCP/UDP 135 (RPC EPMapper)

• TCP/UDP 389 (LDAP, LDAP Ping)

• TCP 636 (LDAP over SSL)

• TCP 3268 (GC)

• TCP 3269 (GC SSL)

• TCP/UDP 53 (DNS)

• TCP/UDP 88 (Kerberos)

• TCP Dynamic (RPC)

• TCP/UDP 464 (Kerberos Change/Set Password)

• TCP 445 – (CIFS/ MICROSOFT-DS)

To facilitate Windows Management Instrumentation (WMI) communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

• TCP/UDP 135 (RPC EPMapper)

• TCP 135 (RPC EPMapper)

• TCP 5725

• TCP 5726

• TCP 5000-5001 Dynamic RPC ports (PCNS)

• TCP 57500-57520 Dynamic RPC ports (AD MA)

Required Management Policy Rules

There are seven Management Policy Rules (MPRs) that are necessary for deploying the Password Reset feature in FIM. These MPRs are installed by default, but they will have to be enabled to deploy Password Reset.

General MPRs

Two of the required MPRs are non-password-specific, as described in the following table.

Password MPRs