Step 7: Configure Self-Service Password Reset

Configuring Password Reset consists of the following steps:

  • Add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups

  • Enable password management on the AD Management Agent

  • Enable CORP\FIMService privileges in WMI on FIM1

  • Allow WMI traffic through the Windows Firewall on FIM1

  • Enable DCOM for CORP\FIMService on FIM1

  • Change the default Q&A questions in the workflow

  • Enable the required MPRs

  • Install the Rich-client on CLIENT1

Add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups

In this step we will add the FIM Service account to the two required groups for implementing SSPR.

To add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Computer Management. This will open the Computer Management MMC.

  3. In the Computer Management MMC, from the tree-view on the left, expand Local Users and Groups, and then select Groups.

    Add the FIM Service Account to FIMSynchAdmins

  4. In the center pane, right-click FIMSyncBrowse and select Properties. This will bring up the FIMSyncBrowse Properties.

  5. Click Add.

  6. This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.

  7. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    CORP\FIMService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  8. Click Apply.

  9. Click OK.

  10. In the center pane, right-click FIMSyncPasswordSet and select Properties. This will bring up the FIMSyncPasswordSet Properties.

  11. Click Add.

  12. This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.

  13. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    CORP\FIMService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  14. Click Apply.

  15. Click OK.

  16. Close Computer Management.

  17. Click Start, select Administrative Tools, and then click Services.

  18. Scroll down and right-click Forefront Identity Manager Service, and then select Stop. This will stop the Forefront Identity Manager Service.

  19. Scroll down and right-click Forefront Identity Manager Synchronization Service, and then select Stop. This will stop the Forefront Identity Manager Synchronization Service.

  20. Right-click Forefront Identity Manager Service, and then select Start. This will start the Forefront Identity Manager Service.

  21. Right-click Forefront Identity Manager Synchronization Service, and then select Start. This will stop the Forefront Identity Manager Synchronization Service.

  22. Close Services.

Enable password management on the AD Management Agent

In order for AD DS to process the password reset requests, we must enable password management on the AD management agent created in the preceding step.

To enable password management on the AD Management Agent

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, select All Programs, select Microsoft Forefront Identity Manager, and click Synchronization Service.

  3. At the top of the Synchronization Service, click Management Agents.

  4. Select the AD management agent and on the right under Actions select Properties. This will bring up the AD management agent properties.

  5. In the properties window, click Configure Extensions and place a check in Enable password management.

  6. Click OK.

Enable CORP\FIMService privileges in WMI on FIM1

The FIM Service account must have security access to the namespace and subnamespaces on the FIM 2010 R2 server.

To enable CORP\FIMService privileges in WMI on FIM1

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and click Server Manager.

  3. In Server Manager, expand Configuration, right-click WMI Controls and select Properties.

  4. Click the Security tab.

  5. Expand Root, select CIMV2, and then click the Security button. This will bring up the Security for ROOT\CIMV2.

  6. On Security for ROOT\CIMV2, click Add.

  7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  8. Click OK.

  9. On Security for ROOT\CIMV2, for CORP\FIMService ensure that Allow is selected for Enable Account.

  10. On Security for ROOT\CIMV2, for CORP\FIMService select Allow for Remote Enable.

  11. Click Advanced. This will bring up the Advanced Security Settings for CIMV2.

  12. On Advanced Security Settings for CIMV2, select FIM Service (FIMService@corp.contoso.com) and then click Edit. This will bring up Permission Entry for CIMV2.

  13. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.

  14. Click OK.

  15. On Advanced Security Settings for CIMV2, click Apply, and then click OK.

  16. On Security for ROOT\CIMV2, click OK.

  17. On WMI Control Properties, click OK.

  18. Close Server Manager.

Allow WMI traffic through the Windows Firewall on FIM1

The FIM1 server needs to allow WMI traffic through the firewall.

To allow WMI traffic through the Windows Firewall on FIM1

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, click Windows Firewall.

  4. On Windows Firewall, select Allow a program or feature through Windows Firewall.

  5. On Allowed Programs, under Allowed programs and features, scroll down, and then select the Windows Management Instrumentation (WMI) check box.

  6. Click OK.

  7. Close Windows Firewall.

  8. Close Control Panel.

Enable DCOM for CORP\FIMService on FIM1

WMI uses DCOM to communicate with the FIM 2010 R2 server. For this to occur, the FIM Service service account requires access to DCOM on the server running the FIM Synchronization Service.

To enable DCOM for CORP\FIMService on FIM1

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, click Administrative Tools, and then click Component Services.

  3. On Component Services, expand Component Services, and then expand Computers.

  4. Right-click My Computer, and then click Properties.

  5. On My Computer Properties, click COM Security.

  6. On COM Security, under Access Permissions, click Edit Limits.

  7. On Access Permissions, click Add.

  8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  9. Click OK.

  10. On Access Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check box for both Local Access and Remote Access.

  11. Click OK.

  12. On COM Security, under Access Permissions, click Edit Default.

  13. On Access Permissions, click Add.

  14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  15. Click OK.

  16. On Access Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check box for both Local Access and Remote Access.

  17. Click OK.

  18. On COM Security, under Launch and Activation Permissions, click Edit Limits.

  19. On Launch and Activation Permissions, click Add.

  20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  21. Click OK.

  22. On Launch and Activation Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  23. Click OK.

  24. On COM Security, under Launch and Activation Permissions, click Edit Default.

  25. On Access Permissions, click Add.

  26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  27. Click OK.

  28. On Launch and Activation Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  29. Click OK.

  30. On My Computer Properties, click Apply, and then click OK.

  31. Close Component Services.

Change the default Q&A questions in the workflow

The default questions for the Q&A gate are Question 1, Question 2, and Question 3. These need to be changed to real questions.

To change the default Q&A questions in the workflow

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  3. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  4. On the right, under Administration, click Workflows.

  5. Double-click Password Reset AuthN Workflow. This will bring up the Password Reset AuthNWorkflow.

  6. Click Activities.

  7. Click the down arrow next to QA Gate, this will expand the details. Click Edit.

  8. Navigate to Step 2, remove Question 1 from the box and enter: What is your mothers middle name?

  9. Navigate to Step 2, remove Question 2 from the box and enter: What is your fathers middle name?

  10. Navigate to Step 2, remove Question 3 from the box and enter: What was your first pets name?

  11. Click Save. Click OK. Click Submit.

Enable the Required MPRs

By default, FIM has several Management Policy Rules disabled that need to be enabled for SSPR.

To enable the required MPRs

  1. Log on to CLIENT1.corp.contoso.com as CORP\Administrator.

  2. Navigate to the Forefront Identity Manager 201o

  3. On the right, under Administration, click Management Policy Rules.

  4. In the list of MPRs, locate Anonymous uses can reset their passwords and click it. This will open the Configuration page.

  5. Clear the check box next to Policy is disabled.

  6. Click OK, and then click Submit.

  7. Repeat the above steps for each of the following MPRs:

    1. Anonymous users can reset their password

    2. Password reset users set can read password reset objects

    3. Password Reset Users can update the lockout attribute of themselves

    4. User management: Users can read attributes of their own

    5. General: Users can read non-administrative configuration resources

    6. Administration: Administrators can read and update Users

Install the Rich-client on CLIENT1

In this section we will install the rich-client on CLIENT1.

To install the Rich-client on CLIENT1

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  2. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 R2 and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 R2 splash screen.

  3. On the splash screen, click Install Add-ins and Extensions, 64 bit. You will see a pop-up that says Do you want to run or save this file? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager 2010 R2 Add-ins and Extensions Setup Wizard.

  4. On the Welcome page, click Next.

  5. On the End User License Agreement page, read the License Agreement, select I accept the terms in the License Agreement, and then click Next.

  6. On the FIM Customer Experience Improvement Program page, select I don’t want to join the program at this time, and then click Next.

  7. On the Custom Setup page, click the drop-down list next to FIM Add-in for Outlook, select Entire feature will be unavailable.

  8. Click Next.

  9. On the Configure FIM Add-ins and Extensions page, in the box next to FIM Service Server address: enter FIM1 and click Next.

  10. On the Configure FIM Add-ins and Extensionspage, in the box below Intranet Registration Portal URL: enter https:passwordregistration.corp.contoso.com and click Next.

  11. Click Install.

  12. Once the installation is complete, click Finish. You will be prompted to restart your system. Click Yes.