Step 6: Perform SSPR Prerequisite Tasks

  • Article

There are several prerequisite tasks that must be accomplished in our test lab prior to setting up and configuring Password Reset. These steps are listed below.

Important

You can use the QuickStart tool provided with FIM 2010 R2 to accomplish several of these steps automatically. Just be aware that these are pre-requisites to using SSPR. That is, you must have AD users synchronized to the portal and the user must be mailbox-enabled to use the OTP Email gates. For additional information on the QuickStart tool see Using the QuickStart Tool.

  • Install Windows 7 Professional x64 on CLIENT2

  • Create Active Directory Organizational Unit

  • Create the FIM 2010 R2 Management Agent

  • Create the run profiles for the FIM management agent

  • Create the AD Management Agent

  • Create the Run Profiles for the AD MA

  • Enable Synchronization Rule Provisioning

  • Configure Object Deletion Rule

  • Set Up the Active Directory Synchronization Rule in the FIM Portal

  • Set Up the AD User Provisioning Workflow

  • Set Up the AD User Provisioning MPR

  • Create a user in the FIM portal

  • Run the management agents

  • Enable the new user account in Active Directory

  • Mailbox-Enable the CORP\jsmith Account

  • Log on to CLIENT1 and setup Outlook

Install Windows 7 Professional x64 on CLIENT2

Install the Windows 7 Professional operating system on CLIENT2. CLIENT2 will be used as our non-domain joined client to show how you can re-set your password from an extranet.

To install Windows 7 Professional x64 on CLIENT2

  1. Start the installation of Windows 7 Professional x64.

  2. Follow the instructions to complete the installation, specifying CLIENT2 as the PC name and a strong password for the local Administrator account.

  3. Once the installation completes, log on using the local Administrator account.

  4. Connect CLIENT2 to a network that has Internet access and run Windows Update to install the latest updates for Windows 7 Professional.

  5. Once the updates are complete, restart CLIENT2 and log on as the local Administrator.

Create Active Directory Organizational Unit

In this step you will be creating an organizational unit within Active Directory. This OU will be used to contain all of our users that will participate in password reset.

To create Active Directory organizational units

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.

  4. In the Name text box, type the following text, and then click OK:
    PasswordResetUsers

  5. Close Active Directory Users and Computers.

Create the FIM 2010 R2 Management Agent

Now it is time to create the FIM 2010 R2 management agent.

To create the FIM 2010 R2 Management Agent

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, select All Programs, select Microsoft Forefront Identity Manager, and click Synchronization Service.

  3. At the top of the Synchronization Service, click Management Agents.

  4. On the right, click Create. This will begin the Create Management Agent wizard.

  5. Under Management Agent for, use the drop-down list and select FIM Service Management Agent.

  6. In the text box under Name, type the following text, and then click Next:
    FIM

  7. On the Connect to Database page, in the Server text box, enter APP1.

  8. In the text box next to Database, type FIMService.

  9. In the text box next to FIM Service base address, enter https://FIM1:5725.

  10. In the box, next to Authentication mode box, click Windows integrated authentication.

  11. In the text box next to User name, type FIMMA.

  12. In the Password text box, enter Pass1word$.

  13. In the Domain text box, type the following text, and then click Next:
    CORP

  14. On the Select Object Types page, place a check in the box next to Person, and then click Next.

  15. On the Select Attributes page, check the box at the top next to Show All, verify that all of the attributes are selected, and then click Next.

  16. On the Configure Connector Filter page, click Next.

  17. On the Configure Object Type Mappings page, click Person, and then click Add Mapping. This will bring up a mapping window.

  18. On the mapping window, make sure person is selected for Metaverse object type and then click OK. This will close the mapping window. Click Next.

  19. On the Configure Attribute Flow page, from the drop-down list under Data source object type, select Person.

  20. From the drop-down list under Metaverse object type list, select person.

  21. For Mapping Type, select Direct.

  22. From the list below Data source attribute, select AccountName.

  23. From the list below Metaverse attribute,select accountName.

  24. For Flow Direction, select Import. Ensure that Allow Nulls is not selected. Click New.

  25. Repeat the above steps for each of the attribute entries in the following table.

    Important

    Be sure to change the Flow Direction where applicable. Also be sure to add the check to Allow Nulls where the column entry is marked Yes.

    Data source attribute

    Flow direction

    Metaverse attributes

    Allow nulls

    AccountName

    Import

    accountName

    Department

    Import

    department

    Yes

    DisplayName

    Import

    displayName

    EmployeeID

    Import

    employeeID

    FirstName

    Import

    firstName

    LastName

    Import

    lastName

    ObjectSid

    Export

    objectSID

  26. Once all the attribute flows have been added, click Next.

  27. On the Configure Deprovisioning page click Next.

  28. On the Configure Extensions page, click Finish.

Create the run profiles for the FIM management agent

Now that the FIM management agent has been created, you will need to create run profiles for the management agent.

To create the run profiles for the FIM management agent

  1. In the Synchronization Service, on the right, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile. This will begin the Configure Run Profile wizard.

  7. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Delta Import

  8. On the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click New Profile. This will begin the Configure Run Profile wizard.

  11. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Export

  12. On the Configure Step page, from the drop-down list under Type, select Export, and then click Next.

  13. On the Management Agent Configuration page, click Finish.

  14. Click New Profile.

  15. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Synchronization

  16. On the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.

  17. On the Management Agent Configuration page, click Finish.

  18. Click New Profile.

  19. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Synchronization

  20. On the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.

  21. On the Management Agent Configuration page, click Finish.

  22. On the Configure Run Profiles for FIM screen click Apply and click OK.

Create the AD Management Agent

Now we will create the Active Directory management agent in the synchronization service.

To create the AD management agent

  1. In the Synchronization Service, click the Management Agents button at the top.

  2. In the Management Agents view, on the right, under Actions, click Create. This will bring up the Create Management Agent dialog box.

  3. On the Create Management Agent screen, under Management Agent for, select Active Directory Domain Services. Under Name enter AD and then click Next.

    Create AD MA

  4. On the Connect to Active Directory Forest screen, enter corp.contoso.com for Forest name. Enter Administrator for the User name. Enter Pass1word$ for the Password. Enter CORP for the Domain. Click Next.

    Connect to AD Forest

  5. On the Configure Directory Partitions screen, under Select directory partitions, put a check in DC=corp,DC=contoso,DC=com. Under Select containers for this partition, click the Containers button. This will bring up the Select Containers dialog box.

  6. On the Select Containers screen, clear the check in the root DC=corp,DC=contoso,DC=com box. This will remove the check marks in all of the boxes. Now place a check in the PasswordResetUsers box. Click OK. This will close the Select Containers dialog box.

  7. On the Configure Directory Partitions screen, click Next.

  8. On the Configure Provisioning Hierarchy screen click Next.

  9. On the Select Object Types screen, check user and then click Next.

  10. On the Select Attributes screen, place a check in the Show All box in the upper-right.

  11. On the Select Attributes screen, place a check in the box for each attribute in the following list. When finished click Next.

    • cn

    • displayName

    • employeeID

    • samAccountName

    • objectSid

    • givenName

    • sn

    • department

    • unicodePWD

  12. On the Configure Connector Filter dialog box, click Next.

  13. On the Configure Join and Projection Rules dialog box, select user and then click New Join Rule. This will bring up the Join Rule for user dialog box.

  14. Under Data source attribute select employeeID.

  15. From the drop-down list under Metaverse object type list, select person.

  16. For Mapping Type, select Direct.

  17. From the list below Metaverse attribute,select employeeID.

  18. Click Add Condition. This will bring up a box that states you are attempting a join mapping with a non-indexed metaverse attribute. Click OK. Click Ok again.

  19. On the Configure Join and Projection Rules dialog box, click Next.

  20. On the Configure Attribute Flow dialog box, click Next.

  21. On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.

  22. On the Configure Extensions page, click Finish.

Create the run profiles for the AD management agent

Now that the AD management agent has been created, you will need to create run profiles for the management agent.

To Create the run profiles for the AD management agent

  1. In the Synchronization Service, on the right of the portal page, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile. This will begin the Configure Run Profile wizard.

  7. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Delta Import

  8. On the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click New Profile. This will begin the Configure Run Profile wizard.

  11. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Export

  12. On the Configure Step page, from the drop-down list under Type, select Export, and then click Next.

  13. On the Management Agent Configuration page, click Finish.

  14. Click New Profile.

  15. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Synchronization

  16. On the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.

  17. On the Management Agent Configuration page, click Finish.

  18. Click New Profile.

  19. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Delta Synchronization

  20. On the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.

  21. On the Management Agent Configuration page, click Finish.

  22. On the Configure Run Profiles for AD screen click Apply and click OK.

Enable Synchronization Rule Provisioning

Next you will enable Synchronization Rule Provisioning. This will enable the configured synchronization rules during a synchronization run.

To enable Synchronization Rule Provisioning

  1. In the Synchronization Service Manager, at the top of the portal page, click Tools, and then select Options.

  2. Select Enable Synchronization Rule Provisioning.

  3. Click OK.

    Enable synch rule prov

Configure Object Deletion Rule

Now we will configure the object deletion rule to delete the object from the metaverse once the HR connector is disconnected.

To Configure the Object Deletion Rule

  1. At the top, click Metaverse Designer.

  2. Under Object Types select Person.

  3. On the right, click Configure Object Deletion Rule. This will bring up the Configure Object Deletion Rule screen.

  4. Select Delete metaverse object when connector from any of the following management agents is disconnected. Place a check in the box next to FIM.

  5. Click OK.

Set Up the Active Directory Synchronization Rule in the FIM Portal

Now you will create the codeless synchronization rule. This rule will provision users from the FIM portal into Active Directory and will then allow the objectSid from AD DS to flow into the FIM Portal.

To set up the AD Provisioning Synchronization Rule for the AD MA in the FIM Portal

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.

  3. In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.

  4. On the right, under Administration, click Synchronization Rules.

  5. At the top, click New.

  6. On the General tab, in the text box next to Display Name, enter AD Provisioning Synch Rule.

  7. Under Data Flow Direction, select Inbound and Outbound, and then click Next.

  8. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: AD

    • External System Resource Type: user

  9. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employeeID

    2. Create Resource in External System: select the check box

  10. On the Workflow Parameters screen, click Next.

  11. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  12. On the Source tab, from the drop-down list select department, and then click OK.

  13. On the Destination tab, from the drop-down list select department, and then click OK.

  14. Repeat the above steps for each of the entries in the following table.

    Source

    Destination

    department

    department

    displayName

    displayName

    employeeID

    employeeID

    firstName

    givenName

    lastName

    sn

  15. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  16. On the Source tab, from the drop-down list select String. In the text box that appears, enter the following text, and then click OK:
    Pass@word1

  17. On the Destination tab, from the drop-down list select unicodePwd, and then click OK.

  18. Check the Initial Flow Only box next to “Pass@word1” -> unicodePwd.

  19. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  20. On the Source tab, from the drop-down list select string.

  21. In the text box that appears, enter cn=. At the top, click Concatenate Value and select displayName from the drop down. At the top, click Concatenate Value and select String from the drop-down list. In the text box that appears enter ,OU=PasswordResetUsers,DC=corp,DC=contoso,DC=com and then click OK.

  22. On the Destination tab, from the drop-down list select dn, and then click OK.

  23. Check the Initial Flow Only box next to “cn=”+displayName+”,OU=PasswordResetUsers,DC=corp,DC=contoso,DC=com” -> dn.

  24. On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  25. On the Source tab, from the drop-down list select accountName, and then click OK.

  26. On the Destination tab, from the drop-down list select sAMAccountName, and then click OK.

  27. Check the Initial Flow Only and Use as Existence Test boxes next to accountName -> sAMAccountName.

  28. On the Outbound Attribute Flow tab, click Next.

  29. On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.

  30. On the Source tab, from the drop-down list select objectSid, and then click OK.

  31. On the Destination tab, from the drop-down list select objectSid, and then click OK.

  32. On the Inbound Attribute Flow tab, click Finish.

  33. On the Summary tab, click Submit.

Set Up the AD User Provisioning Workflow

Now you will create the AD User provisioning workflow.

To set up the AD User Provisioning Workflow

  1. On the left of the page, in the FIM portal, under Management Policy Rules, click Workflows.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Workflow Name: _ AD User Provision Workflow

    • Workflow Type: Action

  4. Click Next.

  5. On the Activities tab, perform the following steps:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, from the drop-down list select AD Provisioning Synch Rule.

    3. In the Action Selectionoptions, select Add.

    4. Click Save.

  6. Click Finish, and then click Submit.

Set Up the AD User Provisioning MPR

Now you will create the AD User Provisioning MPR.

To set up the AD User Provisioning MPR

  1. On the left side of the page, in the FIM portal, click Management Policy Rules.

  2. At the top of the page, click New.

  3. On the General tab, provide the following information:

    • Display Name: _ AD User Provisioning MPR

    • Type: Request

  4. Click Next.

  5. On the Requesters and Operations tab, perform the following steps:

    1. Select Specific Set of Requesters. In the text box below Requester is defined as the following user set type All People, and then click the green check mark.

    2. Under Operation, select Create resource and Modify a single-valued attribute.

  6. Click Next.

    Create AD MPR 1

  7. On the Target Resources tab, perform the following steps:

    1. In the text box next to Target Resource Definition Before Request, type the following text, and then click the green check mark:
      All Full Time Employees

    2. In the text box next to Target Resource Definition After Request, type the following text, and then click the green check mark:
      All Full Time Employees

    3. Under Resource Attributes, select Select specific attributesand in the text box type EmployeeID. Click the green check mark.

  8. Click Next.

  9. On Policy Workflows, perform the following steps:

    • Under Action Workflows, select AD User Provisioning Workflow.

  10. Click Finish, and then click Submit.

Create a user in the FIM portal

In this section we will create our user that will be used to demonstrate password reset. This user will be created in the FIM portal and then provisioned into Active Directory.

To create a user in the FIM portal

  1. On the left side of the page, in the FIM portal, click Users.

  2. At the top, click New. This will bring up the Create User dialog.

  3. On the General tab, provide the following information and then click Next:

    • First Name: John

    • Last Name: Smith

    • Display Name: John Smith

    • Account Name: jsmith

    • E-mail Alias: jsmith

    • Department: IT

  4. On the Work Info tab, provide the following information and then click Finish:

    • Employee Type: Full Time Employee

    • Employee ID: 12345

    • Display Name: John Smith

    • Account Name: jsmith

    • E-mail Alias: jsmith

    • Department: IT

  5. Click Submit.

Run the management agents

Now we will run our management agents and provision our new user into Active Directory and bring the objectSid back into the FIM portal.

To Run the management agents

  1. On FIM1, in the Synchronization Service Manager, at the top, under Management Agents, click FIM.

  2. On the right, under Actions menu, click Run. This opens the Run Management Agent window.

  3. From the list, select Full Import and then click OK. This will take a moment. It should finish with Import Statistics in the lower left window and no errors and tow imports.

  4. At the top, under Management Agents, click AD.

  5. On the right, under Actions menu, click Run.

  6. From the list, select Full Import and then click OK.

  7. At the top, under Management Agents, click FIM.

  8. On the right, under Actions menu, click Run.

  9. From the list, select Full Synchronization and then click OK.

  10. At the top, under Management Agents, click AD.

  11. On the right, under Actions menu, click Run.

  12. From the list, select Full Synchronization and then click OK.

  13. At the top, under Management Agents, click AD.

  14. On the right, under Actions menu, click Run.

  15. From the list, select Export and then click OK.

  16. At the top, under Management Agents, click AD.

  17. On the right, under Actions menu, click Run.

  18. From the list, select Delta Import and then click OK.

  19. At the top, under Management Agents, click AD.

  20. On the right, under Actions menu, click Run.

  21. From the list, select Delta Synchronization and then click OK.

  22. At the top, under Management Agents, click FIM.

  23. On the right, under Actions menu, click Run.

  24. From the list, select Export and then click OK.

  25. At the top, under Management Agents, click FIM.

  26. On the right, under Actions menu, click Run.

  27. From the list, select Delta Import and then click OK.

  28. At the top, under Management Agents, click FIM.

  29. On the right, under Actions menu, click Run.

  30. From the list, select Delta Synchronization and then click OK.

Enable the new user account in Active Directory

In this section we will now enable the account we just provisioned.

To enable the new user account in Active Directory

  1. Log on to DC1 as CORP\Administrator

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. Expand corp.contoso.com and select the PasswordResetUser OU.

  4. In the center pane, right-click on John Smith and select Enable Account. This will bring up a dialog box that says the Object John Smith has been enabled. Click OK.

  5. Close Active Directory Users and Computers.

Mailbox-Enable the CORP\jsmith Account

Now, create a mailbox for the CORP\jsmith account.

To mailbox-enable the CORP\jsmith account

  1. Log on to the EX1.corp.contoso.com server as Administrator.

  2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

  3. In the Exchange Management Console, click Microsoft Exchange On-Premises. This will start an Initialization.

    Warning

    This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.

  4. In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, and then click Mailbox.

  5. On the right, in the Actions pane, click New Mailbox to start the New Mailbox Wizard.

  6. On the Introduction page, select User Mailbox, and then click Next.

  7. On the User Type page, select Existing users, and then click Add. This will bring up the Select User – Entire Forest page.

  8. From the list, select John Smith, click OK, and then click Next.

  9. On the Mailbox Settings page, click Next.

  10. On the New Mailbox page, click New.

  11. On the Completion page, verify that it was successful, and then click Finish.

  12. Close the Exchange Management Console.

  13. Log off EX1.corp.contoso.com.

Log on to CLIENT1 and setup Outlook

Now, log on to CLIENT1 with John Smith and open Outlook 2010.

To log on to CLIENT1 and setup Outlook

  1. Log on to the CLIENT1.corp.contoso.com as John Smith.

  2. Click Start, select All Programs, click Microsoft Office, and then select Microsoft Office Outlook 2010. This will launch the Microsoft Outlook 2010 Startup Wizard. Click Next.

  3. On E-mail Accounts, ensure Yes is selected and click Next.

  4. On Auto Account Setup, wait for the information to automatically populate. It should have JohnSmith@corp.contoso.com for an e-mail address. Click Next.

  5. On Configuring, wait until you receive three green checks, and then click Finish.

    Warning

    If this step errors with the message: The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action, ensure that the Microsoft Exchange Address Book service is running on EX1. This service is set to automatic but may not be running.

  6. Outlook will now start up. On the User Name box, click OK.

  7. This will bring up the Activation Wizard. Click Cancel.

    Warning

    If you are planning on using this lab for more than 30 days you will have to activate Outlook either via the Internet or by telephone.

  8. This will bring up the Welcome to Microsoft Office 2010 screen. Select Use Recommended Settings and click OK. This will bring up a UAC window. Enter the Administrator username and password. Click Yes.

  9. Close Outlook and log off CLIENT1.corp.contoso.com.