Environmental Pre-requisites

Environmental Pre-requisites

The following information will guide you through the pre-requisites required to setup and configure FIM 2010 R2 Self-Service Password Reset. This section is composed of the following:

Before You Begin

Ensure that the following actions are taken before you begin the procedures for password reset:

  • User resources are synchronized between AD DS and the FIM 2010 R2 database.

  • If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:



    1. TCP/UDP 135 (RPC EPMapper)

    2. TCP/UDP 389 (LDAP, LDAP Ping)

    3. TCP 636 (LDAP over SSL)

    4. TCP 3268 (GC)

    5. TCP 3269 (GC SSL)

    6. TCP/UDP 53 (DNS)

    7. TCP/UDP 88 (Kerberos)

    8. TCP Dynamic (RPC)

    9. TCP/UDP 464 (Kerberos Change/Set Password)

    10. TCP 445 – (CIFS/ MICROSOFT-DS)

  • To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:



    1. TCP/UDP 135 (RPC EPMapper)

    2. TCP 135 (RPC EPMapper)

    3. TCP 5725

    4. TCP 5726

    5. TCP 5000-5001 Dynamic RPC ports (PCNS)

    6. TCP 57500-57520 Dynamic RPC ports (AD MA)

The following references can be helpful:

  1. Active Directory and Active Directory Domain Services Port Requirements

  2. Active Directory Replication over Firewalls

  3. Network Ports Used by Key Microsoft Server Products

  4. How to Use Portqry to Troubleshoot Active Directory Connectivity Issues

  5. Management Agent Communication Ports, Rights, and Permissions

Pre-requisite Software

Prior to installing the Password Registration and Password Reset Portals you need to ensure that IIS, .NET 3.5, and Windows PowerShell are installed on the servers that will be hosting the portals. Use the steps below to install the required software.

Install the .NET Framework 3.5.1, IIS 7.5, and Windows PowerShell on Password Registration and Password Reset Portal Servers.

Install the .NET Framework 3.5.1, IIS 7.5, and Windows PowerShell Integrated Scripting Environment (ISE) on a server that will be hosting the Password Registration or Password Reset portal.

To install the .NET Framework 3.5.1, IIS 7.5, and the Windows PowerShell Integrated Scripting Environment (ISE)

  1. Log on to the server with appropriate credentials.

  2. In Server Manager, on the left, click Features and on the right, click Add Features. This will launch the Add Features Wizard and you will see the Select Features page.

  3. Scroll down the list of features and select .NET Framework 3.5.1. This will bring up a box that asks to install Web Server (IIS). Click Add Required Role Services. The box will disappear.

  4. Scroll down the list of features and select Windows PowerShell Integrated Scripting Environment (ISE), and then click Next. You will see the Confirm Installation Selections page.

  5. On the Web Server (IIS) page, click Next.

  6. On the Role Services page, place a check in all of the items that are listed in tables 1 and 2 below.

    noteNote
    When you select ASP.NET this will bring up a pop-up box with the title Add features required for Web Server (IIS). Click the Add Required Features button. This will automatically select ISAPI Extensions, ISAPI Filters, and .NET Extensibility. This will also add the .NET Environment to the Windows Process Activation Service.

  7. On the Confirm Installation Selections page, click Install. This will begin the installation. When this completes you will see the Installation Results page. Click Close.

    IIS Powershell

Table 1 Required IIS 7.5 Web Server Role Services

Role service Required features

Common HTTP Features

  • Static Content

  • Default Document

  • Directory Browsing

  • HTTP Errors

  • HTTP Redirection

Application Development

  • ASP .NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

Health and Diagnostics

  • HTTP Logging

  • Request Monitor

Security

  • Basic Authentication

  • Windows Authentication

  • Request Filtering

Performance

  • Static Content Compression

  • Dynamic Content Compression

Table 2 Required IIS 7.5 Management Tools Role Services

Role service Required features

IIS Management Console

IIS 6 Management Compatibility

  • IIS 6 Metabase Compatibility

  • IIS 6 WMI Compatibility

  • IIS 6 Scripting Tools

  • IIS 6 Management Console

Pre-requisite Tasks

The following pre-requisite tasks must be completed prior to deploying the Self-Service Password Registration and Reset portals. This section will provide you with information on how to accomplish each of these tasks. It is recommended that these tasks be completed in order prior to installing the SSPR binaries. For a complete step-by-step example of implementing these steps see Test Lab Guide: Demonstrating the FIM 2010 R2 Self-Service Password Reset with the Q/A Gate.

  1. Associate the FIM Service with the Application Pool Accounts for Self-Service Password Reset

  2. Make the FIM Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

  3. Enable password management on the management agent for AD DS on the FIM Synchronization Server

  4. Enable FIM Service service account privileges in Windows Management Instrumentation on the FIM Synchronization Server

  5. Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server

  6. Enable DCOM for the FIM service account

  7. Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset

  8. Update the Password reset AuthN workflow in the FIM Portal

  9. Enable the Management Policy Rule named “Anonymous users can reset their password”

  10. Enable the Management Policy Rule named “Password reset users can read password reset objects”

  11. Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”

  12. Enable the management policy rule named “User management: Users can read attributes of their own”

  13. Enable the management policy rule named “General: Users can read non-administrative configuration resources”

  14. Modify the management policy rule named “Administration: Administrators can read and update Users” to include new One Time Password attributes

Associate the FIM Service with the Application Pool Accounts for Self-Service Password Reset

One important thing that must be done in order for Self-Service Password Reset to work properly is that the FIM Service account must be aware of the application pool account or accounts that are running the Registration and Reset Portals. This is because these become well-known identities to the FIM Service. The FIM Service recognizes requests which originate from these identities and respond accordingly. If you plan to run the Registration and Reset portals on a server other than the one that is running the FIM Service, then these accounts need to be specified during the FIM Service setup. In other words, to associate the FIM Service with these accounts, you must specify these accounts at the end of installation wizard when setting up the FIM Service.

FIM Password Portal Information

WarningWarning
If you plan to run the Registration and Reset portals on the same server as the FIM Service, then these boxes can be left blank when you are installing the FIM Service. This is only if you plan to run the SSPR portals on the same server as the FIM Service.

If you are installing the registration and reset portals on the same server, you will not see the UI above.

For additional information on FIM Service communication with the Registration Portal and the Reset Portal see FIM 2010 R2 Registration Portal Communication with the FIM Service and FIM 2010 R2 Reset Portal Communication with the FIM Service later in this guide.

Also, be aware that if this account changes or you need to do a change mode install that you will need to ensure the FIM Service is associated with the app pool accounts by running a change mode install on the FIM Service server first, then on the servers that are hosting the Registration and Reset portasl. For more information on this see Change Mode Install – App Pool Account Change.

Make the FIM Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

To make the FIM Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups

  1. On the FIM 2010 R2 Synchronization Server click Start, then click Administrative Tools, then click Computer Management. Expand Local Users and Groups and click Groups.

  2. Right click the FIMSyncBrowse group, and click Properties.

  3. Click Add.

  4. In Enter the object names to select, enter FIMService, and click Check Names.

  5. Click OK twice.

  6. Right click the FIMSyncPasswordSet group, and click Properties.

  7. Click Add.

  8. In Enter the object names to select, enter FIMService, and click Check Names.

  9. Click OK twice.

  10. Close Computer Management.

  11. Restart the FIM Synchronization Service.

  12. Restart the FIM Service.

Enable password management on the management agent for AD DS on the FIM Synchronization Server

You must enable password management on the management agent for Active Directory Domain Services (AD DS). This makes it possible for AD DS to process the password reset requests that it receives.

To enable password management on the management agent for AD DS

  1. On the server running the FIM Synchronization Service, open the Synchronization Service Manager

  2. Click the Management Agents tab.

  3. Select the management agent for AD DS.

  4. On the Actions menu, click Properties.

  5. In the Properties window, click Configure Extensions.

  6. Select the Enable password management check box.

  7. Click OK.

To assign rights in AD DS to allow the Active Directory management agent account to reset passwords and unlock accounts

  1. On the server running AD DS, open Active Directory Users and Computers.

  2. Click View, and then click Advanced Features.

  3. Right-click the organizational unit (OU) that contains the users for password reset, click Properties, and then click the Security tab.

    noteNote
    If you followed the naming in Common Configuration Guide, this will be the FIMObjects OU.

  4. Click Add, the account name that is used by the AD DS management agent, and then click OK to return to the Security tab.

  5. With the AD DS management agent account highlighted in the Group or user names window, click Advanced.

  6. Select the AD DS management agent account, and then click Edit.

  7. On the Object tab, in Apply to, select Descendant User objects and set the following permissions:

    • Reset password = Allow

    • Change password = Allow

  8. On the Properties tab, in Apply to, select Descendant User objects and set the following permissions:

    • Read userAccountControl = Allow

    • Write userAccountControl=Allow

    • Read lockoutTime = Allow

    • Write lockoutTime = Allow

  9. Click OK three times.

  10. Grant Replicating Directory Changes permissions for the Active Directory Management service account. You can do that by following the steps in the following article: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account.

Enable FIM Service service account privileges in Windows Management Instrumentation on the FIM Synchronization Server

The FIM Service service account must have security access to the namespace and subnamespaces on the FIM 2010 R2 server.

To enable Windows Management Instrumentation namespace and subnamespace privileges

  1. Log on to the server that is running the FIM Synchronization Service as an administrator.

  2. Click Start, right-click Computer, and then click Manage.

  3. In Server Manager, double-click Configuration, right-click WMI Control, and then click Properties.

  4. Click the Security tab.

  5. Double-click Root, click CIMV2, and then click Security.

  6. On Security for ROOT\CIMV2, click Add.

  7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM Service service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  8. Click OK.

  9. On Security for ROOT\CIMV2, ensure that Allow in the FIM Service service account is selected for Enable Account and Remote Enable.

  10. On Security for ROOT\CIMV2, ensure that the FIM Service service account is selected, and then click Advanced.

  11. On Advanced Security Settings for CIMV2, select the FIM Service service account, and then click Edit.

  12. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.

  13. Click OK.

  14. On Advanced Security Settings for CIMV2, click Apply, and then click OK.

  15. On Security for ROOT\CIMV2, click OK.

  16. On WMI Control Properties, click OK.

  17. Close Server Manager.

Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server

You must configure the firewall on the server running the FIM Synchronization Service to allow Windows Management Instrumentation (WMI) traffic to pass through.

To allow WMI traffic through the Windows Firewall

  1. Log on to the FIM 2010 R2 Server as an administrator.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, click Windows Firewall.

  4. On Windows Firewall, select Allow a program or feature through Windows Firewall.

  5. On Allowed Programs, under Allowed programs and features, scroll down, and then select the Windows Management Instrumentation (WMI) check box.

  6. Click OK.

  7. Close Windows Firewall.

  8. Close Control Panel.

Enable DCOM for the FIM service account

WMI uses DCOM to communicate with the FIM 2010 R2 server. For this to occur, the FIM Service service account requires access to DCOM on the server running the FIM Synchronization Service. The following steps assume a single-server implementation. That is, the FIM Service and the FIM Synchronization Service are running on the same server. If your environment has the FIM Service and the FIM Synchronization Service running on separate servers, ensure that the permissions for the FIM Service service account are set on the server that is running the FIM Synchronization Service.

To enable DCOM for the FIM service account

  1. Log on to the server that is running the FIM Synchronization Service as an administrator.

  2. Click Start, click Administrative Tools, and then click Component Services.

  3. On Component Services, double-click Component Services, and then double-click Computers.

  4. Right-click My Computer, and then click Properties.

  5. On My Computer Properties, click COM Security.

  6. On COM Security, under Access Permissions, click Edit Limits.

  7. On Access Permissions, click Add.

  8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  9. Click OK.

  10. On Access Permissions, select the FIM Service service account. Select the Allow check box for both Local Access and Remote Access.

  11. Click OK.

  12. On COM Security, under Access Permissions, click Edit Default.

  13. On Access Permissions, click Add.

  14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  15. Click OK.

  16. On Access Permissions, select the FIM Service service account. Select the Allow check box for both Local Access and Remote Access.

  17. Click OK.

  18. On COM Security, under Launch and Activation Permissions, click Edit Limits.

  19. On Launch and Activation Permissions, click Add.

  20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM Service service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  21. Click OK.

  22. On Launch and Activation Permissions, select the FIM Service service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  23. Click OK.

  24. On COM Security, under Launch and Activation Permissions, click Edit Default.

  25. On Access Permissions, click Add.

  26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears as underlined.

  27. Click OK.

  28. On Launch and Activation Permissions, select the FIM Service service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  29. Click OK.

  30. On My Computer Properties, click Apply, and then click OK.

  31. Close Component Services.

Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset

FIM 2010 R2 contains default sets for password reset. Open the Password Reset Users Set in the FIM portal to make sure it contains the users that you would like to participate in password reset.

To update the Password Reset Users Set in the FIM Portal to ensure it contains all the users you want to participate in password reset

  1. Log on to the FIM Portal as Administrator.

  2. From the FIM Portal home page, under Administration, click Sets.

  3. On the Sets page, locate the set named Password Reset Users Sets by searching or paging through the list of sets, and then click on the name.

  4. By default, all users are included in the Password Reset Users Set. Click View Members to see the users that are currently in the set.

  5. If you want to limit the set membership, change the criteria filter to limit the set to the users you would like to have to participate in password reset.

    noteNote
    Click More information on the Password Reset Users Set page for steps to modify the criteria filter.

Update the Password reset AuthN workflow in the FIM Portal

There is a default workflow in the FIM Portal for password reset that defines the challenges a user must pass before resetting his or her password. In this step, you will modify the default Question and Answer gate, and add an additional One-Time Password gate for extranet users.

TipTip
An attacker might launch a denial-of-service attack on password reset by purposely failing password reset challenges for multiple users, causing many users to be locked out of password reset. To mitigate this type of attack, you should place the lockout gate after a Question and Answer gate. By configuring the activities in this way, the attacker would need to pass at least one gate before they could try and lock out other users. You could then place an additional Question and Answer gate after the lockout gate for additional security. The sequence would then be as follows:

  1. Password gate

  2. Question and Answer gate

  3. Lockout gate

  4. Question and Answer gate

To update the questions in the Question and Answer activity based on your organization’s preferences and ensure that the lockout gate settings (if applicable) match your organization’s requirements

  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Workflows.

  3. On the Workflows page, search or browse the list of workflows, and then click Password Reset AuthN Workflow.

  4. Click Activities, and then expand QA Gate.

  5. Under QAGate, scroll down and click Edit, configure the following steps in the order shown, and then click Save.

    1. Security Context

      Ensure that All is selected. This option will display this QA gate to users accessing the password portals from the Windows logon and from the Web.

    2. Step 1 Question Settings

      Specify the total number of questions asked and the number of questions that are displayed during the password registrations. Also, configure the number of questions that are required for registration, the number of questions that are randomly presented to the user, and the number of questions that the user must answer correctly.

    3. Step 2 Enter Questions

      Specify the questions that users must answer to register for self-service password reset.



    4. Step 3 Compatibility

      Select Disallow. This requires that you have the FIM 2010 R2 Password Reset Extensions installed on the client computer, and will let you test the constraint settings.



  6. Click Save.

  7. Select Add Activity, select One-Time Password Email Gate, and click Select.

  8. Configure the following steps in the order shown, and then click Save.

    1. Security Context

      Ensure that Extranet is selected. This option will display this gate only to requests that originate from the extranet. This includes only requests from a FIM Password Reset Portal which is configured as being accessible to users on the extranet.

    2. Registration Mode

      Select Read/Write. This allows the user to enter or modify their One-Time Password Email Address during registration.

    3. Length of one-time password

      Enter a value between 6 and 12.



    4. Email Template for sending one-time password to user:

      Use the Default completed approval email template.



  9. Click Save.

  10. Expand Lockout Gate, scroll down and click Edit, confirm that the following options match your organization’s preferences, and then click Save.

    Lockout duration after Lockout Threshold is reached (minutes) – Specify the number of minutes that users are locked out of password reset before they are allowed to attempt password reset again.

    Lockout Threshold – number of times the user can fail to complete the workflow – Specify the number of times a user can enter an incorrect answer to the challenge questions before they must wait the specified amount of time as defined in the Lockout duration after Lockout Threshold is reached (minutes) setting.

    Number of times the user can reach the Lockout Threshold before permanent lockout – Specify the number of additional attempts to answer the challenge questions—each separated by the lockout duration time—before the user is permanently locked out of the password reset feature.

  11. Click OK, and then click Submit.

Enable the Management Policy Rule named “Anonymous users can reset their password”

So that users can register for password reset, a Management Policy Rule (MPR) must exist that gives users the permissions to read the attributes necessary to register for password reset. This MPR is created by default for FIM 2010 R2, but it is also disabled by default.

noteNote
Some of these MPRs may already be enabled from testing other FIM 2010 R2 scenarios.

To enable the “Anonymous users can reset their password” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Anonymous users can reset their password.

  4. Click the display name of the MPR, and on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Enable the Management Policy Rule named “Password reset users can read password reset objects”

For users to reset their passwords, the client server that requests the password reset must be able to locate and read the MPR that is associated with the user they are claiming to be.

To enable the “Password reset users set can read password reset objects” MPR

  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to find Password reset users can read password reset objects.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”

When a user successfully registers or resets his or her password, the lockout count is reset. For that update to happen to the lockout count, the user must have permissions to update it. This MPR grants those permissions.

To enable the “Password Reset Users can update the lockout attribute of themselves” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Password Reset Users can update the lockout attribute of themselves.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Enable the management policy rule named “User management: Users can read attributes of their own”

To enable the “User management: Users can read attributes of their own” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate User Management: Users can read attributes of their own.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Enable the management policy rule named “General: Users can read non-administrative configuration resources”

To enable the “General: Users can read non-administrative configuration resources” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate General: Users can read non-administrative configuration resources.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Modify the management policy rule named “Administration: Administrators can read and update Users” to include new One Time Password attributes

To modify the “Administration: Administrators can read and update Users” MPR

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Administration: Administrators can read and update Users.

  4. Open the MPR, and on the Target Resources tab, add the following attributes to Select specific attributes:

    • One-Time Password Email Address

    • One-Time Password Mobile Phone

  5. Click OK, and then click Submit.

Show: