Password Reset Deployment Guide

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront® Identity Manager (FIM) 2010 includes a password reset and registration feature. By using this feature, users can reset their passwords from the Microsoft Windows® logon screen after they complete a registration process to verify their identities.

What This Document Covers

This document provides instructions to help you to configure the password reset and registration feature by using the FIM Portal. It also provides instructions for testing the configuration by registering for the self-service password reset service and then changing the password on a client computer.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the Windows Internet Explorer® Internet browser and the Windows logon screen.

Audience

The target audience for this document is information technology (IT) planners, consultants, and IT personnel who plan to deploy and use the self-service password reset feature included with FIM 2010.

Time Requirements

The procedures in this document require 45 to 60 minutes to complete.

Scenario Description

Fabrikam, a fictitious corporation, wants its employees to configure and use the password reset feature included with FIM 2010. The current process for resetting a password at Fabrikam requires that the information worker call the help desk to obtain assistance in resetting their password. Fabrikam wants to configure and use the self-service password reset feature included with FIM 2010. By using this tool, the information worker can change their password without calling the helpdesk for assistance.

Also, selected IT professionals within the Fabrikam organization need the ability to unlock users for password reset.

Testing Environment

To perform the procedures in this document, your testing environment must have the following characteristics:

  • A server that hosts the FIM 2010 server components. This server must actively synchronize the user resources between the FIM database and Active Directory® Domain Services (AD DS).

    Note

    For guidance for configuring synchronization with AD DS, see Common Configuration for Getting Started Guides in the FIM documentation.

  • A client computer running the Windows XP Service Pack 2 (SP2), Windows Vista® Enterprise, or Windows 7 32-Bit or 64-Bit operating system hosting the FIM Add-in and Extensions in the same domain as the FIM 2010 server components.

Before You Begin

Ensure that the following actions are taken before you begin the procedures for password reset:

  • User resources are synchronized between AD DS and the FIM 2010 database.

  • If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:

    1. TCP/UDP 135 (RPC EPMapper)

    2. TCP/UDP 389 (LDAP, LDAP Ping)

    3. TCP 636 (LDAP over SSL)

    4. TCP 3268 (GC)

    5. TCP 3269 (GC SSL)

    6. TCP/UDP 53 (DNS)

    7. TCP/UDP 88 (Kerberos)

    8. TCP Dynamic (RPC)

    9. TCP/UDP 464 (Kerberos Change/Set Password)

    10. TCP 445 – (CIFS/ MICROSOFT-DS)

  • To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:

    1. TCP/UDP 135 (RPC EPMapper)

    2. TCP 135 (RPC EPMapper)

    3. TCP 5725

    4. TCP 5726

    5. TCP 5000-5001 Dynamic RPC ports (PCNS)

    6. TCP 57500-57520 Dynamic RPC ports (AD MA)

The following references can be helpful:

  1. Active Directory and Active Directory Domain Services Port Requirements

  2. Active Directory Replication over Firewalls

  3. Network Ports Used by Key Microsoft Server Products

  4. How to Use Portqry to Troubleshoot Active Directory Connectivity Issues

  5. Management Agent Communication Ports, Rights, and Permissions

Implementing the Procedures in This Document

In this document, you configure the FIM 2010 self-service password reset feature by using the FIM Portal. You then test the self-service password reset configuration on a Windows-based client computer.

To implement the procedures in this document, you must complete the following steps in order:

  1. Step 1: Make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

  2. Step 2: Enable password management on the management agent for AD DS on the FIM Synchronization Server

  3. Step 3: Enable FIM 2010 service account privileges in Windows Management Instrumentation on the FIM Synchronization Server

  4. Step 4: Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server

  5. Step 5: Enable DCOM for the FIM service account

  6. Step 6: Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset

  7. Step 7: Update the Password reset AuthN workflow in the FIM Portal

  8. Step 8: Enable the Management Policy Rule named “Anonymous users can reset their password”

  9. Step 9: Enable the Management Policy Rule named “Password reset users can read password reset objects”

  10. Step 10: Enable the management policy rule named “Users can create registration objects for themselves”

  11. Step 11: Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”

  12. Step 12: Enable the management policy rule named “User management: Users can read attributes of their own”

  13. Step 13: Enable the management policy rule named “General: Users can read non-administrative configuration resources”

Step 1: Make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

To make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

  1. On the FIM Synchronization Server click Start, then click Administrative Tools, then click Computer Management. Expand Local Users and Groups and click Groups.

  2. Right click the FIMSyncBrowse group, click Add to Group and click OK.

  3. Right click the FIMSyncPasswordSet group and Add to Group and click OK.

  4. Close Computer Management.

  5. Restart the FIM Synchronization Service.

  6. Restart the FIM Service.

Step 2: Enable password management on the management agent for AD DS on the FIM Synchronization Server

You must enable password management on the management agent for Active Directory Domain Services (AD DS). This makes it possible for AD DS to process the password reset requests that it receives.

To enable password management on the management agent for AD DS

  1. On the FIM 2010 Synchronization Server, open the Synchronization Service Manager.

  2. Click the Management Agents tab.

  3. Select the management agent for AD DS.

  4. On the Actions menu, click Properties.

  5. In the Properties window, click Configure Extensions.

  6. Select the Enable password management check box.

To assign rights in AD DS to allow the Active Directory management agent account to reset passwords and unlock accounts

  1. Open Active Directory Users and Computers.

  2. Click View, and then click Advanced Features.

  3. Right-click the organizational unit (OU) that contains the users for password reset, click Properties, and then click the Security tab.

  4. Click Add, enter a name for your account, and then click OK to return to the Security tab.

  5. With the new account highlighted in the Group or user names window, click Advanced.

  6. Select the account that you just created, and then click Edit.

  7. In Apply to, select Descendant User objects.

  8. Apply the following permissions under the Properties tab:

    • Read userAccountControl = Allow

    • Write userAccountControl=Allow

    • Read lockoutTime = Allow

    • Write lockoutTime = Allow

  9. Apply the following permissions under the Object tab:

    • Reset password = Allow

    • Change password = Allow

  10. Grant Replicating Directory Changes permissions for the Active Directory Management service account. You can do that by following the steps in the following article: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account.

Step 3: Enable FIM 2010 service account privileges in Windows Management Instrumentation on the FIM Synchronization Server

The FIM 2010 service account must have security access to the namespace and subnamespaces on the FIM 2010 server.

To enable Windows Management Instrumentation namespace and subnamespace privileges

  1. Log on to the FIM Synchronization Server as an administrator.

  2. On the desktop, right-click Computer, and then click Manage.

  3. In Server Manager, double-click Configuration, right-click WMI Control, and then click Properties.

  4. Click the Security tab.

  5. Double-click Root, click CIMV2, and then click Security.

  6. On Security for ROOT\CIMV2, click Add.

  7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM 2010 service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  8. Click OK.

  9. On Security for ROOT\CIMV2, ensure that Allow in the FIM 2010 service account is selected for Enable Account and Remote Enable.

  10. On Security for ROOT\CIMV2, ensure that the FIM 2010 service account is selected, and then click Advanced.

  11. On Advanced Security Settings for CIMV2, select the FIM 2010 service account, and then click Edit.

  12. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.

  13. Click OK.

  14. On Advanced Security Settings for CIMV2, click Apply, and then click OK.

  15. On Security for ROOT\CIMV2, click OK.

  16. On WMI Control Properties, click OK.

  17. Close Server Manager.

Step 4: Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server

You must configure the firewall on the FIM 2010 Synchronization Server to allow Windows Management Instrumentation (WMI) traffic to pass through.

To allow WMI traffic through the Windows Firewall

  1. Log on to the FIM 2010 Server as an administrator.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, double-click Windows Firewall.

  4. On Windows Firewall, select Allow a program through Windows Firewall.

  5. On Windows Firewall Settings, under To enable an exception, select its check box, scroll down, and then select the Windows Management Instrumentation (WMI) check box.

  6. Click OK.

  7. Close Windows Firewall.

  8. Close Control Panel.

Step 5: Enable DCOM for the FIM service account

WMI uses DCOM to communicate with the FIM 2010 server. For this to occur, the FIM service account requires access to DCOM on the server running the FIM Synchronization Service. The following steps assume a single-server implementation. That is, the FIM Service and the FIM Synchronization Service are running on the same server. If your environment has the FIM Service and the FIM Synchronization Service running on separate servers, ensure that the permissions for the FIM service account are set on the server that is running the FIM Synchronization Service.

To enable DCOM for the FIM service account

  1. Log on to the server that is running the FIM Synchronization Service as an administrator.

  2. Click Start, click Control Panel, click Administrative Tools, and then click Component Services.

  3. On Component Services, double-click Component Services, and then double-click Computers.

  4. Right-click My Computer, and then click Properties.

  5. On My Computer Properties, click COM Security.

  6. On COM Security, under Access Permissions, click Edit Limits.

  7. On Access Permissions, click Add.

  8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  9. Click OK.

  10. On Access Permissions, select the FIM service account. Select the Allow check box for both Local Access and Remote Access.

  11. Click OK.

  12. On COM Security, under Access Permissions, click Edit Default.

  13. On Access Permissions, click Add.

  14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  15. Click OK.

  16. On Access Permissions, select the FIM service account. Select the Allow check box for both Local Access and Remote Access.

  17. Click OK.

  18. On COM Security, under Launch and Activation Permissions, click Edit Limits.

  19. On Launch and Activation Permissions, click Add.

  20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  21. Click OK.

  22. On Launch and Activation Permissions, select the FIM service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  23. Click OK.

  24. On COM Security, under Launch and Activation Permissions, click Edit Default.

  25. On Access Permissions, click Add.

  26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears as underlined.

  27. Click OK.

  28. On Launch and Activation Permissions, select the FIM service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  29. Click OK.

  30. On My Computer Properties, click Apply, and then click OK.

  31. Close Component Services.

Step 6: Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset

FIM contains default sets for password reset. Open the Password Reset Users Set in the FIM portal to make sure it contains the users that you would like to participate in password reset.

To update the Password Reset Users Set in the FIM Portal to ensure it contains all the users you want to participate in password reset

  1. Log on to the FIM Portal as Administrator.

  2. From the FIM home page, under Administration, click Sets.

  3. On the Sets page, find the set named Password Reset Users Sets by searching or paging through the list of sets.

  4. On the Criteria-based Members tab, click all resources, and select user from the drop down menu.

  5. Change the criteria to filter the set down the users you would like to have to participate in password reset.

Step 7: Update the Password reset AuthN workflow in the FIM Portal

There is a default workflow in the FIM Portal for password reset that defines the challenges a user must pass before resetting his or her password.

Tip

An attacker might launch a denial-of-service attack on password reset by purposely failing password reset challenges for multiple users, causing many users to be locked out of password reset. To mitigate this type of attack, you should place the lockout gate after a Question and Answer gate. By configuring the activities in this way, the attacker would need to pass at least one gate before they could try and lock out other users. You could then place an additional Question and Answer gate after the lockout gate for additional security. The sequence would then be as follows:

  1. Password gate

  2. Question and Answer gate

  3. Lockout gate

  4. Question and Answer gate

To update the questions in the Question and Answer activity based on your organization’s preferences and ensure that the lockout gate settings (if applicable) match your organization’s requirements

  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Workflows.

  3. On the Workflows page, search or browse the list of workflows, and then click Password Reset AuthN Workflow.

  4. Click Activities, and then double-click QA Gate.

  5. Under QAGate, click Edit, configure the following steps in the order shown, and then click Save.

    1. Step 1 – Question Settings

      Specify the total number of questions asked and the number of questions that are displayed during the password registrations. Also, configure the number of questions that are required for registration, the number of questions that are randomly presented to the user, and the number of questions that the user must answer correctly.

    2. Step 2 – Enter Questions

      Specify the questions that users must answer to register for self-service password reset, for example, “What is your mother’s maiden name?”

  6. Expand Lockout Gate, click Edit, confirm that the following options match your organization’s preferences, and then click Save.

    Lockout duration after Lockout Threshold is reached (minutes) – Specify the number of minutes that users are locked out of password reset before they are allowed to attempt password reset again.

    Lockout Threshold – number of times the user can fail to complete the workflow – Specify the number of times a user can enter an incorrect answer to the challenge questions before they must wait the specified amount of time as defined in the Lockout duration after Lockout Threshold is reached (minutes) setting.

    Number of times the user can reach the Lockout Threshold before permanent lockout – Specify the number of additional attempts to answer the challenge questions—each separated by the lockout duration time—before the user is permanently locked out of the password reset feature.

  7. Click OK, and then click Submit.

Step 8: Enable the Management Policy Rule named “Anonymous users can reset their password”

So that users can register for password reset, a Management Policy Rule (MPR) must exist that gives users the permissions to read the attributes necessary to register for password reset. This MPR is created by default for FIM 2010, but it is also disabled by default.

To enable the “Anonymous users can reset their password MPR”

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Anonymous users can reset their password.

  4. Click the display name of the MPR, and on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Step 9: Enable the Management Policy Rule named “Password reset users can read password reset objects”

For users to reset their passwords, the client server that requests the password reset must be able to locate and read the MPR that is associated with the user they are claiming to be.

To enable the “Password reset users set can read password reset objects” MPR

  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to find Password reset users can read password reset objects.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Step 10: Enable the management policy rule named “Users can create registration objects for themselves”

For users to register for password reset, an MPR must exist that gives them the permissions to create and modify gate registration resources. A gate registration resource is the resource that stores the registration data in FIM. This MPR has been created by default for FIM 2010, but it is also disabled by default.

To enable the “Users can create registration objects for themselves” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Users can create registration objects for themselves.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click Next, and then click Submit.

Step 11: Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”

When a user successfully registers or resets his or her password, the lockout count is reset. For that update to happen to the lockout count, the user must have permissions to update it. This MPR grants those permissions.

To enable the “Password Reset Users can update the lockout attribute of themselves” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Password Reset Users can update the lockout attribute of themselves.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Step 12: Enable the management policy rule named “User management: Users can read attributes of their own”

To enable the “User management: Users can read attributes of their own” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate User Management: Users can read attributes of their own.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Step 13: Enable the management policy rule named “General: Users can read non-administrative configuration resources”

To enable the “General: Users can read non-administrative configuration resources” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate General: Users can read non-administrative configuration resources.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Enabling the helpdesk to manage users

The following steps are necessary only if you plan to have a support team manage users when they are locked out of password reset. If you are not using this functionality, you can skip to testing the configuration.

Step H1: Create a set of helpdesk users who can unlock users for password resets

To create a set of helpdesk users who can unlock users for password resets

  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Sets.

  3. On the Sets page, click New.

  4. On the General page, enter the following information into the fields:

    1. Display Name: Helpdesk users set.

    2. Description: This set contains helpdesk users who support password resets.

  5. Click Next.

  6. On the Criteria-based Members tab, click all resources, and on the menu, click user. Click Add statement, click <click to select attribute>, and then click Department. Click <click to select value>, and then type support.

    Note

    You can filter this by whatever attribute allows you to identify helpdesk users who can assist end users with password reset issues.

  7. Click Finish.

  8. On the Summary tab, click Submit.

Step H2: Create a set of lockout gate registration resources

To create a set of lockout gate registration resources

  1. Log on to the FIM 2010 R2 Portal as an administrator.

  2. On the FIM 2010 R2 home page, under Administration, click Sets.

  3. On the Sets page, click New.

  4. On the General page, enter the following information into the fields listed below:

    1. Display Name - Lockout gate registration resources.

    2. Description - This set contains all lockout gate registration resources for helpdesk users to unlock a user.

  5. Click Next.

  6. On the Criteria-based Members tab, click all resources, and on the menu, click gate registration. Click Add statement, and then click <click to select attribute> and select Gate Type. Click <click to select value> and enter D1230EF0-C5FA-4473-BE2A-30918B42EA2B.

  7. Click Finish.

  8. On the Summary tab, click Submit.

Step H3: Create an MPR enabling helpdesk users to modify the attributes of lockout gate registrations

To create an MPR enabling helpdesk users to modify the attributes of lockout gate registrations in the set that was created in Step H2

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR such as Helpdesk Users can modify Lockout Registration Resources.

    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to unlock users for password reset.

    • In Type, ensure that Request is selected.

    • In Disabled, ensure that Policy is disabled is not selected.

  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – In Specific Set of Requestors enter the name of the set that you created in Step H1 – Helpdesk Users Set

    • Operation – Select Read Resource and Modify a single-valued attribute.

    • Permissions – Select Grants Permissions.

  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter the name of the set from Step H2 (Lockout Gate Registration Resources). Click the validate icon.

  9. In Target Resource Definition After Request, enter the name of the set from Step H2 (Lockout Gate Registration Resources). Click the validate icon.

  10. In Resource Attributes, select All Attributes, and then click Finish.

  11. On the Summary tab, click Submit.

Step H4: Create an MPR that enables helpdesk users to modify the necessary attributes to unlock users

IT professionals who are responsible for unlocking users for password reset need permissions to modify the AuthN Workflow Registered and AuthN Workflow LockedOut attributes.

To create an MPR enabling helpdesk users responsible for unlocking users for password reset to modify attributes

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR, such as Helpdesk Users can unlock Password Reset Users Set.

    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to unlock users for password reset.

    • Type – Select Request.

    • Disabled – Ensure that Policy is disabled is not selected.

  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – Enter the name of the set that you created in Step H1 Helpdesk Users Set.

    • Operation – Select Read Resource and Remove a value from a multivalued attribute.

    • Permissions – Select Grants Permissions.

  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter Password Reset Users Set. Click the validate icon.

  9. In Target Resource Definition After Request, enter Password Reset Users Set. Click the validate icon.

  10. In Resource Attributes, select Select specific attributes, and then enter Lockout Gate Registration Data Ids and AuthN Workflow Locked Out. Click the validate icon, and then click Finish.

  11. On the Summary tab, click Submit.

Step H5: Create an MPR enabling helpdesk users to read password reset users

IT professionals who are responsible for unlocking users for password reset need permissions to search for password reset users.

To create an MPR enabling helpdesk users responsible for unlocking users for password reset to search for users

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR, such as Helpdesk Users can read Password Reset Users Set.

    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to view users for password reset.

    • Type – Select Request.

    • Disabled – Ensure that Policy is disabled is not selected.

  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – Enter the name of the set that you created in Step H1 Helpdesk Users Set.

    • Operation – Select Read Resource.

    • Permissions – Select Grants Permissions.

  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter the name of the set that identifies password reset users (Password Reset Users Set), and click the validate icon.

  9. Click Next.

  10. In Resource Attributes, select Select specific attributes, and then enter Resource Type and DisplayName. Click the validate icon, and then click Finish.

  11. On the Summary tab, click Submit.

Test the configuration

After configuring the management agent for AD DS and then defining the password reset workflow, you will test the configuration. To test the configuration, you must perform the following steps in the order shown:

  1. Register for a self-service password reset

  2. Reset the password

Register for a self-service password reset

After a user logs on to a client computer, the user must register for a self-service password reset. This enables that user to reset the password without contacting the helpdesk. There are two methods by which users can register for a self-service password reset:

  1. Registration from a client computer

  2. Registration through the Web portal

Registration from a client computer

In this procedure, you will register for a self-service password reset from a client computer.

To register for a self-service password reset

  1. Log on to a client computer with a user account that resides in the set that you created to participate in password reset.

  2. On the FIM Password Reset Registration page, click Next.

  3. Answer the questions that you specified when you created the process for a self-service password reset, click Next, and then click OK.

Registration through the Web portal

In this procedure, you will register for password reset through the Web portal. There are two methods by which to register for password reset through the Web portal. Each method will be outlined in the procedures in this section of the document.

Method 1: To register for a self-service password reset in the portal

  1. Log on to the client computer as any user.

  2. From a client computer, open Internet Explorer, and then navigate to the FIM Portal home page (https://<portal host name>/IdentityManagement).

  3. From the FIM Portal home page, click Register for Password Reset.

  4. Click Register for My Password Management.

  5. Enter the credentials of the user who is logged on, and complete the registration wizard.

Method 2: To register for a self-service password reset in the portal

  1. Log on to the client computer as a user in the password reset set.

  2. From a client computer, open Internet Explorer, and then navigate to the password portal home page (https://<portal host name>/PasswordPortal).

  3. From the FIM Portal home page, in the navigation bar on the left side of the page, click Authentication Workflow Registration.

    Note

    Authentication Workflow Registration, by default, is not visible for a regular user. However, a user can go directly to the URL at https://<portal host name>/identitymanagement/aspx/authn/AuthNWFUserRegistration.aspx, to access authentication workflow registration.

  4. On the Authentication Workflow Registration page, select the check box next to the authentication workflow that you modified in Step 6 of this document, and then click Register.

  5. Follow the instructions in the registration wizard.

Reset the password

Now you can reset the user's password. After you have reset the password, the user can log on to the client computer and the AD DS domain with the new credentials. There are two ways to reset a password:

  1. Reset the password from a client computer

  2. Reset the password in the portal

Reset the password from a client computer

In this procedure, you will reset the user’s password from the logon screen on the client computer.

To reset the password at the logon screen

  1. Log off the client computer.

  2. On the Log On to Windows screen, click the Reset button.

    In the Windows Vista operating system, the Reset command link is located under the box where you enter your password.

  3. On the Authentication Gate page, type the same answers to the questions that you entered when you registered for a self-service password reset, and then click Next.

  4. On the Enter your new password here page, type your new password in the New password and Confirm new password boxes, and then click Reset.

  5. In the Windows logon screen, log on using the new password.

  6. Click Finish.

Reset the password in the portal

To reset the user’s password in the portal, you will perform two tasks:

  • Allow anonymous access to the password reset portal

  • Reset the user’s password by using the password reset portal

Allow anonymous access to the password reset portal

In this procedure, you will configure the portal to allow anonymous access to users who need to reset their passwords.

To enable anonymous access to the FIM Password Reset Portal SharePoint application:

  1. Click Start, click Administrative Tools, then run the SharePoint 3.0 Central Administration application.

  2. Click Application Management.

  3. Under Application Security, click Authentication Providers.

  4. On the list of available authentication providers, click Default.

  5. In Anonymous Access enable Enable anonymous access.

  6. Click Save.

To assign permissions on the SharePoint site

  1. Log on to the password portal (https://< portal host name>/PasswordPortal) as an administrator.

  2. On the top-right side of the portal home page, click Site Actions, and then click Site Settings.

  3. Under Users and Permissions, click Advanced Permissions.

  4. On the Permissions page, click Settings, and then select Anonymous Access.

  5. Under Anonymous users can access, select Entire Web site, and then click OK.

Reset the user’s password by using the password reset portal

In this procedure, you will reset the user’s password by using the password reset portal.

To reset the user’s password by using the password reset portal

  1. Log on to the client computer as any user.

  2. From a client computer, open Internet Explorer and navigate to the password portal home page at https://< portal host name>/PasswordPortal.

  3. On the password portal home page, type the user’s user name and domain, and then complete the password reset wizard.

Kiosk Scenario

If you want to enable a scenario in which the users cannot log on to the computer but have to reset their password, you can set up a password reset kiosk. To do that, you create and use a local machine account to log on to the computer. The user will then be able to access the browser without having to log on to the computer.

Unlock a user for the password reset process

A user may have to be unlocked for the password reset process.

There are two lockout thresholds, the temporary lockout threshold and the permanent lockout threshold, as well as a lockout duration period. If the settings are set to Temporary Lockout (number of attempts) = 3, Permanent Lockout (number of attempts)= 2, and Lockout Duration (minutes) = 5, the following behavior occurs:

  • The user is allowed three attempts without any lockout duration.

  • After failing the third attempt, the user is temporarily locked out for the time that is specified in the lockout duration. In this case, the user will be locked out for 5 minutes.

  • After the lockout duration elapses, the user gets three additional attempts without any lockout duration.

  • After failing the third attempt (sixth overall attempt), the user is permanently locked out.

To unlock a user for the password reset process

  1. Log on to the FIM Portal as a user who is in the IT professional set that is designated to unlock users for the password reset process.

  2. On the FIM home page, under Administration, click Unlock Users.

  3. On the Unlock Users page, search for and click the display name of the user who needs to be unlocked from the password reset process.

  4. On the following page, select the user-defined password reset action and authentication processes that you created earlier, and then, if the user needs to be unlocked from the password reset processes, click Unlock User.

  5. On the Unlock User page, click Submit.

  6. On the following page, click OK.

Require reregistration for all users if the questions in the Question and Answer gate are modified or changed

If you change the questions or modify the Questions and Answer gate, click Require Re-registration on the workflow to force all users to reregister for password reset.

Adding an Authentication Workflow to any Create, Update, or Delete Operation

In FIM 2010, you can add an authentication workflow to any create, update, or delete operation, except for approval and deny operations (request management) and schema operations. For example, you might want to require authentication for anyone creating a group. This requires you to perform four tasks:

  1. Create the MPR, which enables users to read the necessary attributes to register for a password reset.

  2. Create any authentication workflow.

  3. Edit the MPR by attaching the authentication workflow to it so that everyone can create a group. For more information on how to edit MPRs, see Introduction to Management Policy Rules in the FIM 2010 documentation.

  4. Test the configuration. In this procedure, you will verify that the users are now required to follow the authentication workflow when creating a group.

    To test the configuration

    1. Log on to the FIM Portal as a user.

    2. Under Distribution Groups, click Create a new DG, and then follow the instructions in the wizard.

    3. After you click Submit, the authentication workflow starts. You must complete the wizard before you can successfully create the group.

Configuring the FIM Portal for Password Reset only

If you are using FIM only for password resets, you can remove the other elements from the FIM home page. For information about how to update the FIM home page, see Introduction to Configuring the FIM Portal in the FIM 2010 documentation.

Using Group Policy to update how often registration is checked

By default, the FIM client checks the end user’s registration status every time he or she logs on to Windows. The frequency setting for how often registration is checked is located in the registry. If you are deploying password reset broadly in your organization, we recommend that you configure FIM 2010 to check periodically, not every time that the user logs on to Windows.

There are two potential locations for the registry key:

  1. HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions

  2. HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

The location under Policies takes precedence. However, the second key, in the second listing above, must be created. It can be an empty key.

The settings are as indicated in the following table.

Name Type Data description Registry location

CacheInterval

Int

Registration status cache duration in days

HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions

HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

MaxOffset

Int

Maximum random offset in days to be added or subtracted to cache interval

HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions

HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

CacheInterval specifies the amount of time in days before the FIM client checks the user’s registration status again. MaxOffset adds or subtracts a random number of days to CacheInterval. The offset exists so that all FIM clients are not checking registration status on the same day. We recommend that you create these settings in the Policies folder.

Site Settings for Internet Explorer 8, 7, and 6

The FIM portal should have the settings in the following table, based on the version of Internet Explorer that the end users are running.

Version Site setting

Internet Explorer 6

Intranet sites

Internet Explorer 7

Trusted sites

Internet Explorer 8

Intranet sites

Troubleshooting

If you have issues when you set up the self-service password reset, look for the issues in the following list for information about how to resolve the issues.

Password reset configuration
  • In the Process Designer, it not supported to add more than one Question and Answer activity for each authentication workflow

  • If the firewall on the FIM 2010 server is enabled, you must open a range of ports to allow remote procedure call (RPC) communication between the domain controller and the server with FIM 2010. For more information, see the Microsoft Identity Integration Server 2003 Technical Reference (https://go.microsoft.com/fwlink/?LinkId=38680).

  • If the firewall on the server running FIM 2010 is on, the password reset does not work unless you manually unblock TCP ports 5725 and 5726. If necessary, manually unblock TCP ports 5725 and 5726.

  • In the Question and Answer activity settings, the following condition exists:

    • A question should not exceed 100 characters.
  • Changing the mapping for a password reset event from using one AuthN process to using a different AuthN process is not supported in FIM 2010.

Password reset use case
  • Answers to questions should not exceed 255 characters.
Password reset client deployment
  • If a user does not register for a password reset during the initial logon, he or she will be prompted to register during each subsequent logon.

  • If a user wants to reregister for a self-service password reset, follow the procedures in the Registration through the Web portal section of this document.

FAQ

Timeout value for Authentication Activities

By default, AuthN activities timeout after 5 minutes.

Summary

After you complete the procedures in this document, you will have successfully deployed self-service password reset in your environment. With the successful deployment of the self-service password reset feature in FIM 2010, users in your environment will be able to reset their passwords without having to call their helpdesk.