FIM 2010 R2 Password Reset Portal
FIM 2010 R2 Password Reset Portal
The FIM 2010 R2 Password Reset Portal page is the starting point for users to begin resetting their password. It consists of three logical pages which are specific to the reset experience:
Choose New Password Page
Additionally, depending on the Authentication Workflow and type of Authentication Gates that are specified in that workflow, you may see pages for any of the following:
One-Time Password Email Gate
One-Time Password SMS Gate
By default, the Password Reset AuthN Workflow has a Password Gate and a QA Gate. It also has a Lockout Gate but this gate does not have a user interface that is part of the reset experience. For additional information on Gates see the SSPR Authentication Gates section of this document.
The Password Reset home page provides a user interface for an end user to initiate the password reset process via a web browser.
The text box takes input that specifies the user’s username and shows it unmasked. It supports pasting from the clipboard. Valid username formats are:
Username (Provided DefaultDomainName has been specified in the web.config file)
When the user clicks the next button, the Portal verifies the user name is present and in a valid format, and then initiates a request to the FIM Service to reset the password for the user. In a default configuration of FIM, such a request would trigger the MPR which enables anonymous users to reset their password. This is the “Anonymous users can reset their password” MPR. This MPR has references to the authentication workflow Password Reset AuthN Workflow. As mentioned above this workflow has a default Password Gate, Lockout Gate, and a QA Gate. The Portal will then interact with the first interactive authentication gate and render the user experience specified for that gate. By default, this will be the Password Gate.
If the user name is in an invalid format, the portal displays the following error message:
Invalid format. Enter your user name in a valid format.
Validation is performed on the Reset Portal based on Active Directory naming standards. The format of the username is configurable by a regex in the web.config file. Using ValidResetUsernameRegex in the web.config file you can specifiy the format that the password reset portal will accept.
Choose New Password Page
The New Password page provides a user interface for an end user to choose a new Active Directory password.
There are three primary elements of user interaction on the New Password page: two text boxes for the user to enter the new password, and a Next button.
The text boxes take user input, including input pasted from the clipboard. It renders the user input as masked characters.
When the user clicks the Next button, the Portal verifies that both the new password and the re-entered password match one another. If they don’t match, including if one or the other fields is blank, the Portal displays an inline error.
Ensure both passwords match.
If both passwords match, then the Portal submits the user’s requested password to the Change Password activity which is running in an action workflow. If the request succeeds, then the user will be redirected to the Success page. If the request fails, then the portal will display an error message and allow the user to request some other password. The error message is contextual, for example “Requested password doesn’t comply with the password policy of your organization.”
The Success page provides a user interface that informs the user that they’ve successfully changed their password.
There is one primary element of user interaction on the Success page a Finish button. Clicking the Finish button will re-direct the user to a Session Ended page. By default this button is not visible and will only appear if there is a value configured for FinishUrl in the registration/reset portal web.config file. If there is a value, a user will be re-directed to the custom page specified.
FIM 2010 R2 Reset Portal Communication with the FIM Service
The Reset Portal communicates with the FIM Service using the FIM Service’s normal web services endpoint, via the WS-T protocol which is recognized by the FIM Service. The Reset Portal takes advantage of certain facilities which were added to the FIM Service to enable password registration from an internet user with a browser.
The Reset Portal makes requests to the FIM Service using the AD identity which was specified during the setup process for the reset portal. This identity is well-known to the FIM Service. The FIM Service recognizes requests which originate from this identity and changes the requestor to be “Anonymous User”. This is the identity that the FIM Service uses for a user who has not authenticated to Windows and is making a request to the FIM Service. This behavior enables the FIM Reset Portal to communicate with the FIM Service, even though the end user doesn’t have a Kerberos token.
When the FIM Reset Portal is configured during Setup as being on a host which is accessible to extranet users, it includes an additional message header when it submits requests to the FIM Service. This property is stamped on requests and enables password reset to evaluate whether they should execute a particular gate for a particular request. If the SecurityContextAssertionProperty is marked with Extranet then, those gates that have been configured for only extranet requests will be run. This allows for additional Authentication gates to be added to extranet requests, while keeping requests from the intranet simpler. Also, it enables auditors to determine requests that came in from an extranet-facing portal.
<SecurityContextAssertionProperty xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement"> Extranet </SecurityContextAssertionProperty>
FIM 2010 R2 SSPR Reset Portal Flow
The following flow chart shows the reset process.