Password Registration and Reset Portal Deployment

  • Article

Password Registration and Reset Portal Deployment

This section includes information on installing the FIM 2010 R2 Password Registration and Reset Portals. This section is composed of the following:

  • Installing the Password Registration and Reset Portal

  • Post Installation Tasks

  • Kiosk Scenario

  • Change Mode Install – App Pool Account Change

The following section includes information on installing the FIM 2010 R2 Rich Client. This section does not discuss unattended installation of the Add-ins and Extensions. For information on this see Unattended installation of FIM 2010 R2 Self-Service Password Reset later in this document.

Installing the Password Registration and Reset Portal

The screenshots below assumes that the password registration and password reset portal will be deployed on a server other than the one that is running the FIM Service and Synchronization Service. The reason is that the password registration and reset portals are often extranet facing. This allows users the ability to reset their passwords from non-domain joined machines. However, from a security stand point, it would not be recommended to have the FIM Service and the FIM Synchronization Service sitting on the internet.

If you are not going to have the password registration and password reset portals extranet facing and wish to install everything on one server, this is supported but there are some things that need to be considered. The first is that SharePoint for the FIM Portal will be using port 80 on IIS, so additional ports will be required for the password registration and password reset portals. Also, if you are installing everything on one machine and are using Kerberos then useAppPoolCRedentials=true will be set because SharePoint runs as a “farm”. If this is true, then the Application Pool account that runs the FIM Password Registration Site and the FIM Password Reset Site will need to have the appropriate SPNs and delegation configured.

To install the Password Registration and Reset Portals, do the following:

To install Password Registration and Password Reset Portal

  1. Log on to the server that will host the portals as CORP\Administrator.

  2. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 R2 and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 R2 splash screen.

  3. On the splash screen, click Install Service and Portal. You will see a pop-up that says Do you want to run or save this file? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager 2010 Service and Portal Setup Wizard.

  4. On the Welcome page, click Next.

  5. On the End User License Agreement page, read the License Agreement, select I accept the terms in the License Agreement, and then click Next.

  6. On the FIM Customer Experience Improvement Program page, select I don’t want to join the program at this time, and then click Next.

  7. On the Custom Setup page, click the drop-down list next to FIM Service, select Entire feature will be unavailable.

  8. On the Custom Setup page, click the drop-down list next to FIM Portal, select Entire feature will be unavailable.

  9. Click Next.

    Custom Setup

  10. On the Configure FIM Password Registration Portal page, next to Account Name, enter your service account.

  11. On the Configure FIM Password Registration Portal page, next to Password, enter your service account password.

  12. On the Configure FIM Password Registration Portal page, next to Host Name, enter the appropriate host name.

  13. On the Configure FIM Password Registration Portal page, next to Port, type the following text:
    80. Place a check in the box next to Open port in firewall.

    Config PW Registration Portal

  14. Click Next.

    Important

    This will bring up a box that says Your deployment is not secure in its current configuration. This is because we have not setup SSL yet. Click Next.

  15. On the Configure FIM Password Registration Portal page, next to FIM Server Service Address, enter the FIM Server Service Address.

    Config PW Registration Portal 2

  16. Click Next.

  17. On the Configure FIM Password Reset Portal page, next to Account Name, enter your service account.

  18. On the Configure FIM Password Reset Portal page, next to Password, enter your service account password.

  19. On the Configure FIM Password Reset Portal page, next to Host Name, enter the appropriate host name.

  20. On the Configure FIM Password Reset Portal page, next to Port, type the following text:
    80. Place a check in the box next to Open port in firewall.

    Config PW Reset Portal

  21. Click Next.

    Important

    This will bring up a box that says Your deployment is not secure in its current configuration. This is because we have not setup SSL yet. This will be done in the steps that follow. Click Next.

  22. On the Configure FIM Password Reset Portal page, next to FIM Server Service Address, enter the FIM Server Service Address.

    Config PW Reset Portal 2

  23. Click Next.

  24. Click Install. This will begin the installation.

  25. Once the installation completes, click Finish.

  26. Close the Splash screen.

Post Installation Tasks

The following are a couple of post installation tasks that should be verified prior to using SSPR.

Installing the Exchange 2007 and Exchange 2010 Web Service (EWS) Certificate

Note

This is an optional task that is used to ensure the FIM Service can use Exchange with the SSPR OTP Email gate.

If your server running Exchange is using a certificate that is untrusted by the FIM Service, the certificate used by the Exchange server must be added to the local certificate store.

You can verify if you have an untrusted certificate by opening Internet Explorer and navigating to https://mailserver/ews/exchange.asmx. If you receive a certificate error, you must complete the all the steps in this section. Mailserver is the server running Exchange that you specified when you installed the FIM 2010 R2 component.

If you have several FIM Service servers, this task must be completed on every server.

Note

You must run the installation of the Exchange certificate with elevated rights. If User Account Control (UAC) is turned on, installing the Exchange certificate without elevated rights causes the installation to fail.

To install the Exchange certificate on the FIM Service server

  1. Open Internet Explorer.

  2. In the address bar, type https://mailserver/EWS/exchange.asmx.

    Mailserver is the server running Exchange that you specified when you installed the FIM 2010 R2 component.

    Select Continue to this Web site.

  3. In the Security Alert dialog box (where it reads Certificate Error), click View Certificate.

  4. In the Certificate dialog box, click Install Certificate.

  5. On the Welcome to the Certificate Import Wizard page, click Next.

  6. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  7. Select the Show physical stores check box, navigate to Trusted People\Local Computer, and select this store. Click OK.

  8. Click Next.

  9. Click Finish to import the certificate.

Verifying the certificate and verify that the EWS can be reached

In this procedure, you will ensure that the Exchange 2007 or Exchange 2010 Web Service (EWS) is running and can be accessed as the FIM service account. This is an optional task that is used to ensure the FIM Service can use Exchange for Self-Service Password Reset.

To ensure that the Exchange 2007 or Exchange 2010 Web service (EWS) is running and is accessible as the FIM service account

  1. Open Internet Explorer as the FIM 2010 administrator.

  2. In the address bar, type https://<mail server>/EWS/Exchange.asmx. This ensures that you can access EWS by using the FIM service account.

Kiosk Scenario

If you want to enable a scenario in which the users cannot log on to the computer but have to reset their password, you can set up a password reset kiosk. To do that, you create and use a local machine account to log on to the computer. The user will then be able to access the browser without having to log on to the computer.

Change Mode Install – App Pool Account Change

The following is a note on doing a change mode install. If you do a change mode install to change the account that runs the FIM Password Registration and Password Reset portals you must also run a change mode install on the server that is running the FIM Service and specify the application pool account or accounts. This should be done first. That is, prior to running the change mode install on the Registration and Reset portal server, run a change mode install on the server that is running the FIM Service and associate it with the new application pool account or accounts.

To run a change mode install and associate the FIM Service account with the FIM Password Registration and Password Reset Portal Service account do the following:

  1. Begin a change mode install.

  2. On the Enter optional password portal configuration page, place a check in FIM Password Registration Portal will be installed on another host and under Enter the existing account under which the password registration application pool will run in IIS, next to Account Name, type the new password registration service account.

  3. On the Enter optional password portal configuration page, place a check in FIM Password Reset Portal will be installed on another host and under Enter the existing account under which the application pool will run in IIS, next to Account Name, type the new password reset service account.

    FIM Password Portal Information

  4. Finish the change mode install.