FIM 2010 R2 Rich Client
FIM 2010 R2 Rich Client
Forefront Identity Manager 2010 R2 includes a rich client that can be used for password registration, password reset and the FIM Add-in for Outlook.
One thing that is new for FIM 2010 R2 is that the rich client no longer allows interactive registration. Rather, it uses the default web browser and re-directs that user to the Password Registration Portal.
When the FIM client determines that the user is to be prompted for password registration the client:
Opens the user’s default browser, which may or may not be Internet Explorer, in its default size and position.
Passes a URL to the browser based upon a key in the client’s registry: RegistrationPortalURL.
If a value is present for RegistrationPortalURL in the policy node (HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\RegistrationPortal), then this takes highest precedence.
If no value is present in the policy node, then the value is read from the registry location which is written at setup time: HKLM\Software\Microsoft\Forefront Identity Manager\2010\Extensions\RegistrationPortal.
The FIM 2010 R2 client is not required to participate in Self-Service Password Reset. With FIM 2010 R2 SSPR everything can be done from a browser. However, the client does offer one benefit over the browser in that it allows users to reset their password from a domain-joined machine from the logon screen. So for example, if a user goes on vacation and then returns to work but cannot remember their password, they can still reset it from their workstation or laptop.
Several settings for the rich client can be configured via Group Policy. The following sections include information on Registry settings that pertain to self-service password rest that can be configured via Group Policy.
How often registration is checked
By default, the FIM client checks the end user’s registration status every time he or she logs on to Windows. The frequency setting for how often registration is checked is located in the registry. If you are deploying password reset broadly in your organization, we recommend that you configure FIM 2010 to check periodically, not every time that the user logs on to Windows.
There are two potential locations for the registry key:
HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions
HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions
The location under Policies takes precedence. However, the second key, in the second listing above, must be created. It can be an empty key.
The settings are as indicated in the following table.
| Name | Type | Data description | Registry location |
|---|---|---|---|
CacheInterval |
Int |
Registration status cache duration in days |
HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions |
MaxOffset |
Int |
Maximum random offset in days to be added or subtracted to cache interval |
HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions |
CacheInterval specifies the amount of time in days before the FIM client checks the user’s registration status again. MaxOffset adds or subtracts a random number of days to CacheInterval. The offset exists so that all FIM clients are not checking registration status on the same day. We recommend that you create these settings in the Policies folder.
The Registration Portal URL
To specify the URL for the Password Registration Portal you can set the following registry key on the clients
- HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\RegistrationPortal
The settings are as indicated in the following table.
| Name | Type | Data description | Registry location |
|---|---|---|---|
RegistrationPortalURL |
REG_SZ |
URL of the password registration portal |
HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\RegistrationPortal |
RegistrationPortalURL - With this policy setting, you can configure the registration portal URL which the default browser will navigate to during password reset registration. If you do not configure this policy setting, the registration portal URL specified during setup will be used. This is located at HKLM\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\RegistrationPortal.
The FIM Service Address
To specify the URL of the FIM Service used by password reset, you can set the following registry key on the clients
- HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet
The settings are as indicated in the following table.
| Name | Type | Data description | Registry location |
|---|---|---|---|
Address |
REG_SZ |
URL of the FIM Service used by password reset. |
HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet |
Address - With this policy setting, you can specify the address to the FIM Service used by password reset. The format is: https://serveraddress:5725. If you do not configure this policy setting, the address specified during setup will be used. This is located at HKLM\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet.