Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Self Service Password Reset’ Category

(2017-06-23) Adding A Link To The SSPR Page In The ADFS FBA Page

Posted by Jorge on 2017-06-23


When users use Windows Integrated Authentication against ADFS through their Windows desktop/laptop the users are authenticated based upon the credentials they used to logon with onto that Windows desktop.laptop. If those users needed to reset their password or unlock their account, a link would need to be provided within the logon screen to point to the SSPR page or users would need to use some kind of kiosk PC.

However, when hitting the Forms Based Authentication page within ADFS, it would be nice if you could display a link on that same page if users needed to reset their password or unlock their account when for example on a mobile device. Something similar to the following:

image 

Figure 1: A Link To The SSPR Page On The FBA Page

If you want to do this, you can use the following steps

[Step 1]

Clone the current active ADFS web theme to a new ADFS web theme

First determine the current web theme

Get-ADFSWebConfig

Clone the current active web theme to a new web theme

New-AdfsWebTheme -Name <New Web Theme Name> -SourceName <Active Web Theme Name>

[Step 2]

Export the cloned web theme to a folder on the file system

Export-AdfsWebTheme -Name <New Web Theme Name> -DirectoryPath <Some Folder On The File System>

[Step 3]

Edit the file “onload.js” in the folder “<Some Folder On The File System>\Script” and add the following piece of code to the end of the file to show the link to the SSPR page in AAD on the FBA page (NOTE: you can use any other SSPR page if you want, such as the FIM/MIM SSPR page)

// Add link for password reset, if we find the forms authentication element in the page
var formsAuthArea = document.getElementById("formsAuthenticationArea");
if (formsAuthArea) {
    //Create the hyperlink
    var pwdResetLink = document.createElement(‘a’);
    var linkText = document.createTextNode("Click Here For Password Reset Or Account Unlock");
    pwdResetLink.appendChild(linkText);
    pwdResetLink.title = "Click Here For Password Reset Or Account Unlock";
    pwdResetLink.href = "
";’>";’>https://passwordreset.microsoftonline.com/?whr=<Your Domain In AAD>";
    pwdResetLink.target = "_blank";
    document.body.appendChild(pwdResetLink);

    //append to the authArea
    var authNArea = document.getElementById("authArea");
    authNArea.appendChild(pwdResetLink);
}

[Step 4]

Import the new edited “onload.js” file

Set-AdfsWebTheme -TargetName <New Web Theme Name> -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="<Some Folder On The File System>\script\onload.js"}

[Step 5]

Activate the new web theme

Set-AdfsWebConfig -ActiveThemeName <New Web Theme Name>

Now access an application and make sure to use the FBA page. The FBA page is used when coming from a mobile device on an external network or when not using WIA

Cheers,
Jorge

 

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Federation Services (ADFS), Forefront Identity Manager (FIM) Portal, Forms Based AuthN, Self Service Password Reset, Self-Service Password Reset, Windows Azure Active Directory | Leave a Comment »

(2015-03-12) Resolving The "Policy Violation" Error With FIM SSPR

Posted by Jorge on 2015-03-12


You may be testing SSPR or a user may actually be using it to reset its own password and the following error is presented.

image

Figure 1: The Password Does Not Comply With Your Organization’s Password Policies

When you look in the Forefront Identity Manager Event Log you will see the following event ID 3

image

Figure 2: The Password Reset Activity In The Password Reset Action Workflow Failed Due To A Policy Violation

PWReset Activity’s MIIS Password Set call failed because of a policy violation.

…And you will also see the following error, which does not tell you anything

image

Figure 3: Service Fault Exception – DataRequiredFaultReason

The web portal received a fault error from the FIM service.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
Web Portal: FIM Password Reset Portal
Session Id: xlei5mqvkukke145sjxbu355
IP Address: 10.1.1.32

A password policy consists of the following policy settings:

  1. Enforce password history X passwords remembered
  2. Maximum password age X days
  3. Minimum password age X days
  4. Minimum password length X characters
  5. Password must meet complexity requirements Disabled
  6. Store passwords using reversible encryption

A password change will always enforce all policy settings, except policy setting [2] (The maximum password age is what actually triggers the password change)

A regular password reset or a password reset through FIM SSPR while policy enforcement is disabled will by default enforce all policy settings, except the policy settings [2], [1] and [3]. When policy enforcement is enabled as specified in "FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies", it will also enforce policy setting [1] and [3], and therefore the password reset will behave like a password change. Be aware of that!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Self Service Password Reset | 3 Comments »

(2015-03-08) Resolving The "PWUnrecoverableError" Error With FIM Self-Service Password Reset (SSPR)

Posted by Jorge on 2015-03-08


While using or configuring FIM 2010 (R2) SSPR you might receive the error after specifying the new password twice and submitting . This of course needs troubleshooting, but looking at the generic error and code you need to dig further to really understand what went wrong.

image

Figure 1: Error 3000 After Specifying A New Password Twice And Submitting It

Looking at the Forefront Identity Manager Event Log you will may find Event ID 3 with an "Access is denied" statement. Now you know something is wrong with authentication or authorization between the FIM Service and the FIM Sync Service.

image

Figure 2: Unauthorized Access Exception – Access is denied

mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

You may also find the following Event ID 2 in the Forefront Identity Manager Event Log.

image

Figure 3: Workflow Terminated Exception

System.Workflow.ComponentModel.WorkflowTerminatedException: Exception of type ‘System.Workflow.ComponentModel.WorkflowTerminatedException’ was thrown.

You may also find the following Event ID 3 in the Forefront Identity Manager Event Log.

image

Figure 4: Service Fault Exception

The web portal received a fault error from the FIM service.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
Web Portal: FIM Password Reset Portal
Session Id: ufoifqmbyuwt0p3cim0iz455
IP Address: 10.1.1.32

You will also find the following Event ID 3 in the Forefront Identity Manager Event Log.

image

Figure 5: HTTP Unhandled Exception – PWUnrecoverableError

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError —> System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   — End of inner exception stack trace —
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
   at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
   at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
   at System.Web.UI.TemplateControl.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

You will also find the following Event ID 3 in the Forefront Identity Manager Event Log.

image

Figure 6: Invalid Program Exception – PWUnrecoverableError

The error page was displayed to the user.
Details:
Title: Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Source:
Attributes:
Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3000
CaughtTime: 01/09/2015 21:47:39

Web Portal: FIM Password Reset Portal
Session Id: ufoifqmbyuwt0p3cim0iz455
IP Address: 10.1.1.32

If you have tracing enabled for the FIM Service you would also see the following. To enable tracing for the FIM Service see the following blog post "(2013-11-01) Advanced Logging, Event Tracing Or Troubleshooting Within FIM Components". Basically you comment the default "Default Diagnostics configuration" and remove the comment from the "Advanced Diagnostics Configuration (Full Diagnostics configuration)" and restart the FIM service. By the way: DO NOT forget to disable tracing afterwards!!!

image

Figure 7: Unauthorized Access Exception – Access is denied

Microsoft.ResourceManagement Verbose: 0 : WQL:SELECT * FROM MIIS_CSObject WHERE (Domain=’IAMTEC’ AND Account=’John.Doe’) or (FullyQualifiedDomain=’IAMTEC’ AND Account=’John.Doe’) or (Domain=’IAMTEC’ AND UserPrincipalName=’John.Doe’) or (FullyQualifiedDomain=’IAMTEC’ AND UserPrincipalName=’John.Doe’)
    ThreadId=16
    DateTime=2015-01-09T20:47:38.5549208Z
Microsoft.ResourceManagement Error: 3 : mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)
    ThreadId=16
    DateTime=2015-01-09T20:47:38.5705433Z

In this case the "PWUnrecoverableError" error is related to unauthorized access. In other words, the FIM Service account is lacking some permission somewhere. To be sure NOTHING is missed, check everything listed below.

[1] Permissions In The FIM Sync Engine

The password reset is done through the FIM Sync Engine, therefore the FIM Service must have the permission to look up the connector space object and actually set the new password. For that to be possible the FIM Service account must be a member of the "FIM Sync Browse Group" and the "FIM Sync Password Set Group". See below as an example. If you just added the FIM Service account to these groups, make sure to restart the FIM Service!

image

Figure 8: Required FIM Sync Group Memberships For The FIM Service Account When Using SSPR

[2] DCOM Permissions

The FIM Service account requires the correct DCOM permissions on the FIM Sync Server(s). I say server(s) because you might have a running FIM Sync server and a hot or cold standby FIM Sync server. The manual steps to enable DCOM for the FIM Service account on the FIM Sync Server(s) are:

  1. Log on to the FIM Sync Server with local administrative permissions
  2. Click Start, click Administrative Tools, and then click Component Services.
  3. On Component Services, expand Component Services, and then expand Computers.
  4. Right-click My Computer, and then click Properties.
  5. On My Computer Properties, click COM Security.
  6. On COM Security, under Access Permissions, click Edit Limits.
  7. On Access Permissions, click Add.
  8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
  9. Click OK.
  10. On Access Permissions, select the FIM Service account name and place a check in the Allow check box for both Local Access and Remote Access.
  11. Click OK.
  12. On COM Security, under Access Permissions, click Edit Default.
  13. On Access Permissions, click Add.
  14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
  15. Click OK.
  16. On Access Permissions, select the FIM Service account name and place a check in the Allow check box for both Local Access and Remote Access.
  17. Click OK.
  18. On COM Security, under Launch and Activation Permissions, click Edit Limits.
  19. On Launch and Activation Permissions, click Add.
  20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
  21. Click OK.
  22. On Launch and Activation Permissions, select the FIM Service account name and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  23. Click OK.
  24. On COM Security, under Launch and Activation Permissions, click Edit Default.
  25. On Access Permissions, click Add.
  26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
  27. Click OK.
  28. On Launch and Activation Permissions, select the FIM Service account name and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  29. Click OK.
  30. On My Computer Properties, click Apply, and then click OK.
  31. Close Component Services.

If you think, "damn, that’s a lot of work!", you can also use PowerShell to do it!. See Using PowerShell to Set DCOM Permissions for FIM Self-Service Password Reset

SNAGHTML5c47cfcd

Figure 9: DCOM Permissions – Access Permissions – Edit Limits

SNAGHTML5c48e0ee

Figure 10: DCOM Permissions – Access Permissions – Edit Default

SNAGHTML5c4b49ff

Figure 11: DCOM Permissions – Launch And Activation Permissions – Edit Limits

SNAGHTML5c4bae86[4]

Figure 12: DCOM Permissions – Launch And Activation Permissions – Edit Default

[3] WMI Permissions

The FIM Service account requires the correct WMI permissions on the FIM Sync Server(s). I say server(s) because you might have a running FIM Sync server and a hot or cold standby FIM Sync server. The manual steps to enable WMI for the FIM Service account on the FIM Sync Server(s) are:

  1. Log on to the FIM Sync Server with local administrative permissions.
  2. Click Start, select Administrative Tools, and click Computer Management.
  3. In Computer Management, expand Configuration, right-click WMI Controls and select Properties.
  4. Click the Security tab.
  5. Expand Root, select CIMV2, and then click the Security button. This will bring up the Security for ROOT\CIMV2.
  6. On Security for ROOT\CIMV2, click Add.
  7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
  8. Click OK.
  9. On Security for ROOT\CIMV2, for the FIM Service account name ensure that Allow is selected for both Enable Account and Remote Enable.
  10. Click Advanced. This will bring up the Advanced Security Settings for CIMV2.
  11. On Advanced Security Settings for CIMV2, select the FIM Service account name and then click Edit. This will bring up Permission Entry for CIMV2.
  12. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.
  13. Click OK.
  14. On Advanced Security Settings for CIMV2, click Apply, and then click OK.
  15. On Security for ROOT\CIMV2, click OK.
  16. On WMI Control Properties, click OK.
  17. Close Computer Management.

If you think, "damn, that’s a lot of work!", you can also use PowerShell to do it!. See How to Use PowerShell to Set WMI Permissions for FIM Self-Service Password Reset or Using PowerShell to Set WMI Permissions for FIM Self-Service Password Reset.

image

Figure 13: WMI Permissions – ROOT\COMV2

If you have all of the above (already) correctly configured and it is still not working, you need to check something check to see if that’s correctly configured. Open the System Event Log and see if you can find the warning Event ID 6037 similar to the one shown below.

image

Figure 14: LSA Error Regarding Incorrect SPN Configuration

The program svchost.exe, with the assigned process ID 860, could not authenticate locally by using the target name RPCSS/FIMSYNC.IAMTEC.NET. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
Try a different target name.

If you do find the above warming, then navigate to the folder "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service" on the server with the FIM Service installed and open the file "Microsoft.ResourceManagement.Service.exe.config" and look for the string "synchronizationServerName". After finding it, look for its value, which in this case is "FIMSYNC.IAMTEC.NET". Ask yourself if the value is the real FQDN of the FIM Sync Server or if it is an alias for the FIM Sync Server. In this case the specified FQDN is an alias registered in DNS as an A record, not a CNAME record. If the value specified is neither, then you need to run a change install of the FIM Service to be able to specify the correct FQDN of the FIM Sync Server. I really suggest you use an alias for the FIM Sync Server as it gives you lots of flexibility, especially if you have a running FIM Sync Server and a hot/cold standby of the FIM Sync Server. If you would not use an alias but the real FQDN of the FIM Sync Server, and you have multiple FIM Service server instances, you would need to do a change install on each and every FIM Service server instance just to change the FIM Sync Server FQDN. With an alias you do not need to do that, you just need to change the DNS record.

image

Figure 15: The FIM Sync Server FQDN Specified In the FIM Service Configuration File

If the value specified is the real FQDN of the FIM Sync Server, then you need to make sure the following SPNs are registered in the servicePrincipalNames attribute on the computer account of the FIM Sync Server:

  • HOST/<NetBIOS Name FIM Sync Server> (e.g. HOST/R1FSMBSV2)
  • HOST/<FQDN Name FIM Sync Server>(e.g. HOST/R1FSMBSV2.IAMTEC.NET)

In this case you need to check for the HOST SPN and not the RPCSS SPN, as the RPCSS SPN is covered by the HOST SPN. You can check this mapping in the "sPNMappings" in the object "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=IAMTEC,DC=NET"

If any of the HOST SPN is missing, add it back, but be aware for duplicate SPNs!

If the value specified is the alias FQDN of the FIM Sync Server, then you need to make sure the following SPNs are registered in the servicePrincipalNames attribute on the computer account of the FIM Sync Server:

  • RPCSS/<NetBIOS Alias FIM Sync Server> (e.g. RPCSS/FIMSYNC)
  • RPCSS/<FQDN Alias FIM Sync Server>(e.g. RPCSS/FIMSYNC.IAMTEC.NET)

image

Figure 16: Registering The RPCSS SPN For The Alias On The Computer Account Of The FIM Sync Server

When using an alias FQDN for the FIM Sync Server, you need to make sure that alias is registered in DNS as an A record and not as a CNAME record! The downside of this approach is that if you need to activate your hot/cold standby, you also need to move the RPCSS SPN from the computer account of the previous FIM Sync Server to the computer account of the new FIM Sync Server. To make you do not have that dependency, make sure you have the following:

  • HOST/<NetBIOS Name FIM Sync Server> registered on the computer account of any FIM Sync Server (should be there by default!)
  • HOST/<FQDN Name FIM Sync Server> registered on the computer account of any FIM Sync Server (should be there by default!)
  • RPCSS/<NetBIOS Alias FIM Sync Server> NOT registered anywhere
  • RPCSS/<FQDN Alias FIM Sync Server> NOT registered anywhere
  • The Alias FQDN is registered in DNS as a CNAME record and mapped to the real FQDN of the running FIM Sync Server

So this last approach have a downside? Yes it does! The downside of this approach is that if you need to activate your hot/cold standby, you also need to change the CNAME DNS record mapping to the FQDN of the new FIM Sync Server.

Whatever you choose, it should work. You just need to decide which approach you prefer.

After all this, you should not experience the "PWUnrecoverableError" Error anymore!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Self Service Password Reset | 1 Comment »

(2012-11-11) Finding All Users Within FIM That Have (Not) Registered For SSPR

Posted by Jorge on 2012-11-11


As you may know already, both FIM 2010 and FIM 2010 R2 have a feature called “Self-Service Password Reset” (SSPR). With that people that have registered for SSPR can reset their own password in AD by using the FIM SSPR portal. However, before being able to use SSPR you MUST have registered for it. Every user that is allowed to use it will be notified to register for SSPR every time they logon to a domain joined computer that also has the FIM Add-In Extensions installed locally. Unfortunately the user is not enforce to register as the user can click [Cancel] to not register. The only downside for the user is that he/she will be remembered to register for SSPR until he/she actually registers for SSPR.

So, as an IdM admin, how do YOU know which users have and have not registered for SSPR and of course how many? Within the FIM Portal this can be easily achieved through Search Scopes.

So, first things first….

By default FIM contains one authentication workflow that is used in SSPR. It is called “Password Reset AuthN Workflow”. Before using SSPR you must have configured the “Password Reset AuthN Workflow” or any other custom authentication workflow you want to use. An example can be found below of the configurations needed for FIM 2010 R2. For FIM 2010 not all configurations shown apply.

image

Figure 1a: Configuring The QA Gate Within The Password Reset AuthN Workflow

image

Figure 1b: Configuring The QA Gate Within The Password Reset AuthN Workflow

For questions to use within the QA gate have a look at the following blog post: (2010-09-24) Security Questions For The FIM QA Gate. Make sure the questions you use apply to your employees, their language of even culture.

After configuring the authentication workflow, you need to configure a SET that groups all Password Reset Authentication Workflows. Well, there is only one Password Reset Authentication Workflow, so  why is this needed? In a company that uses more than one Password Reset Authentication Workflow, it is recommended to group all of these through a SET. The reason for having more than one if you are a multinational, you most like will need to have a Password Reset Authentication Workflow for every language spoken within the company.

The grouping of multiple Password Reset Authentication Workflows can be achieved in multiple ways:

  1. Static membership by adding all specific Password Reset Authentication Workflows
  2. Criteria based membership by adding every specific resource ID of each Password Reset Authentication Workflow to the filter
  3. Criteria based membership by configuring the filter to be based on a specific part of the name

In this case I chose [3] as that gives me less management overhead. I only need to make that every Password Reset Authentication Workflow is named in a very specific way.

image

Figure 2: Creating A SET To Group All Password Reset AuthN Workflows

After creating the SET, make sure to copy the object ID of the SET somewhere as you will need it later on!

Now it is time to create the Search Scopes that will help determine the (number of) users who have or have not registered for SSPR

Let’s start with the Search Scope that will determine the users that have registered for SSPR.

image

Figure 3a: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR

The objectGUID you see below is the objectID of the SET you wrote down earlier/above.

image

Figure 3b: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR

image

Figure 3c: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR

image

Figure 3d: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR

Let’s now continue with the Search Scope that will determine the users that have NOT registered for SSPR.

image

Figure 4a: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR

image

Figure 4b: Create A Search Scope That Will Determine The Users Who Have NOT registered For SSPR

image

Figure 4c: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR

image

Figure 4d: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR

After having configured both Search Scopes, make sure to close Internet Explorer, or whatever other browser you are using and perform an IIS Reset through IISRESET commando.

Open up the FIM Portal again after the IIS Reset and click on the users navigation bar. Click on the “Search Within..” drop down list and select the Search Scope that returns all users that have registered for SSPR.

image

Figure 5: List Of Users That Have Registered For SSPR

SNAGHTMLc9d4ec2

Figure 6: List Of Users That Have NOT Registered For SSPR

Interestingly enough when you select the search scope it will not return al users right away. Instead you can see the number of users at the bottom of the Internet Explorer. If you want you can search for specific users or use a wildcard in the name.

Would it be possible to create a navigation bar link instead? YES, that is possible, but be aware of the following. The major downside of that is that it returns all the results immediately. That will impact performance negatively and more specifically when you have lots of users within the FIM Portal.

However, if you still want to go the navigation bar way make sure to read the following blog posts:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Self Service Password Reset | 10 Comments »

 
%d bloggers like this: