sia313: self-service password reset for active directory with microsoft forefront identity manager...

SIA313:Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2

Mark Wahl, CISAPrincipal Program ManagerMicrosoft Corporation

SIA313

Scenario: FIM self-service password reset

Users can reset their own passwordsStarts from a domain-joined PC or any browserChallenges user (questions, SMS, email)User chooses a new password

Reduces helpdesk costsImproves compliance outcomesIncreases user productivity and satisfaction

General Availability this month

FIM 2010 R2Adds web-based password reset and historical reporting

Additional Connectors for FIM

Microsoft BHOLD Suite

Meeting Customer RequirementsKey Asks from TechEd 2011 for FIM SSPR

Allow reset in morescenarios

Broader browser support Mobile device support

Meet stricter security requirements

Enhanced Q&A authentication gate SMS authentication gate Email authentication gate

Improved end user and administrator experiences

Portal customization Programmatic registration Streamlined deployment

Agenda

InstallationQuickstartAuthentication Challenge GatesProgrammatic RegistrationPassword Reset Portal CustomizationFor More Information

FIM 2010 R2 SSPR Components

FIM SyncFIM ServiceFIM PortalFIM Password Registration and Reset Portals (new)FIM Client (Windows Extension and Outlook Add-In)FIM Sync PCNS (Optional)

FIM 2010 R2 Password Reset ComponentsExample Topology

Internet

BrowserReverse

Proxy

FIM Password Reset Portal

FIM Password Registration

Portal

FIM Service AD

Windows

FIM Password Reset

Extensions(optional)

FIM Sync Service

SharePoint

FIM PortalInternetExplorer

End User

End User

FIM Admin

Browser

SMS Provider (optional)

Email provider

(optional)

Other Directories (optional)

IIS Intranet

Mobile Phone

Installation Process

FIM SyncFIM Service and PortalFIM Password Portals (new in R2)FIM ClientLanguage Packs

Installation of FIM Password Portals

1

Choose to install Password Portals

Installation of FIM Password Portals

2

Specify whether host is extranet accessible

Installation of FIM Password Portals

3

Specify AD user account for Portal

Installation of FIM Password Portals

4

Password Portals visible in IIS Manager

FIM Password PortalsPost installation configuration

Configure SSL

Ensure appropriate Kerberos configurationhttp://setspn.blogspot.com/search/label/Kerberoshttp:/social.technet.microsoft.com/wiki/contents/articles/3385.aspxhttp://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspxhttp://support.microsoft.com/kb/929650

Proxy configuration (if Internet-facing)

Install Language Packs

Localization Password Reset & Registration Portals, FIM Password Reset Extensions

FIM Portal and Service

33 languagesBulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian

19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish

QuickStart for SSPR

PowerShell cmdlet thatCreates AD MA & FIM MA in FIM SyncCreates sync rules to sync users from one OU into the FIM ServiceExecutes initial sync operations (optional)Enables MPRs for password reset scenarios

Invoke-Quickstart–Container <String> -DatabaseName <String> -DatabaseServer <String> -ForefrontIdentityManagerServiceBaseAddress <String> -ForefrontIdentityManagerManagementAgentCredential <PSCredential> -Forest <String> -ActiveDirectoryManagementAgentCredential <PSCredential> [-RunInitialLoad [<Boolean>]] [-WhatIf] [-Confirm] [<CommonParameters>]

Parameter Description

-Container The organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R2.

-DatabaseName The Forefront Identity Manager 2010 R2 service database name.

-DatabaseServer The Forefront Identity Manager 2010 R2 Service database server.

-ForefrontIdentityManagerServiceBaseAddress The Forefront Identity Manager 2010 R2 service base URI.

-RunInitialLoad Indicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R2 will be run automatically or not.

Password Reset Policy

Determine categories of users for password reset policy

Security requirementsApplicability of authentication methodsUser language preference

Implement password reset policy for each category of user

FIM resources: set, management policy rule, and workflowEach authentication workflow contains one or more gatesOptionally configure a workflow so that one or more gates apply only to requests from extranet

Authentication Gates

Gate Reach Secured by Considerations

QA Gate All users User knowledge

Usability of questions with sufficient security

OTP SMS Gate

Users with SMS-capable mobile phones

Access to mobile phone

Requires contract & integration with SMS service provider

OTP Email Gate

Users with email accounts (not the same Exchange server)

Access to email account

Compliance with organizational security policies

Interactive Registration – QA Gate

Admin can configure number of questions user can choose from, and the minimum number user must answer to register

User sees admin-defined questions and enters answers to questions

FIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)

QA Gate Configuration

Number of questions• in the gate• shown to the user• required for registration• required for reset

Allowed answers

Text to describe allowed answers to users

Interactive Registration – OTP GatesData stored in two new attributes of users in FIM Service

OTPMobilePhone and OTPEmailAddress

User Experience How to Achieve this Experience

User enters mobile phone number and/or email address

• Configure gate to be “Read-Write” (default)

User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience

• Configure gate to be “Read-Write”• Set value of users’ OTPMobilePhone and/or

OTP EmailAddress (e.g., via workflow, custom client)

User sees mobile phone number and/or email address, but cannot edit it inline

• Configure gate to be “Read Only”• Set value of users’ OTPMobilePhone and/or

OTP EmailAddress (e.g., via sync)

One-Time Password Email Gate

Whether email address during registration is editable by user

Length of one-time password

Email template for sending the one-time password

One-Time Password SMS Gate

Whether mobile phone is editable by user

Length of one-time password

SMS text message that contains the security code

Windows Server

One-Time Password SMS Gate

Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service providerWrite SMS Provider to target this protocol/APICompile this code into a DLL with a specific filenameDeploy this DLL to the host of the FIM Service machine into a specific location

FIM Service

FIM OTP SMS

Gate

SMS Provider

DLL

SMS Provider

User’s Cellular Service Provider

User’sCellphone

One-Time Password SMS Gate: API

public void SendSms(string mobileNumber, string message,Guid requestId,Dictionary<string, object> deliveryAttributes

)

Interface ISmsServiceProvider contains the function declaration. Interface is present in assembly Microsoft.IdentityManagement.SmsServiceProviderContract.dll

Lab guide with sample code here: http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx

Programmatic Registration

Administrators can programmatically register or unregister a user from an authentication workflow

Implementation: PowerShell cmdletsDeployed with FIM Service component, in FIMAutomation PsSnapin

New cmdletsGet-AuthenticationWorkflowRegistrationTemplate

Register-AuthenticationWorkflow

Unregister-AuthenticationWorkflow

Confirm-AuthenticationWorkflowRegistration

Purpose Gets template for an authentication workflow

Required Parameters

AuthenticationWorkflowName

Purpose Registers one user for one authentication workflow

Required Parameters

UserName, AuthenticationWorkflowName

Purpose Unregisters one user from one authentication workflow

Required Parameters

UserName, AuthenticationWorkflowName

Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false

Required Parameters

UserName, AuthenticationWorkflowName

Scenario Migrate to FIM Password Reset without requiring registered users to re-register

Goal Register existing users for FIM Password Reset using without user interaction

Approach Read users’ password registration data from existing solution

Use this data to register users for FIM Password reset with the Register-AuthenticationWorkflow cmdlet

Example – Migrate to FIM SSPR

Scenario Organization has existing business process that collects all data needed for password reset

Goal Register existing and new users for FIM Password Reset without user interaction

Approach New users • Script to get new/updated data & invoke the

Register-AuthenticationWorkflow cmdlet

Example – Register during Onboarding

Scenario Organization wants users to periodically re-register for FIM Password Reset

Goal Cause users to be prompted for re-registration on a defined schedule

Approach Implement a process to identify users who are targeted for reregistrationSchedule periodic run of a script to deregister targeted users

Example – Deregistration and Renewal

SSPR Portal Customization

Admin can define overrides to password reset portal UI:Theme: font, color, layoutBanner graphicsUser interface text

Password Portal Customization - LayoutCreate Customizations folders for both portals

Default is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration”

Make a new Theme using CSSCreate a style.css file in the Customizations folderAny .css rule in this Customizations\style.css will override the default css for the Password PortalsDocumentation on TechNet describes which css elements are supported for customization: http://technet.microsoft.com/en-us/library/jj134297(v=ws.10)

Example: change the logoCreate a logo (e.g., mylogo.png) in the Customizations folder Create a style.css file in the Customizations folder with this content:

.title-block{ background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent;}

Password Portal Customization - TextCreate a file ‘strings.resx’ in the Customizations folder

Provide key-value pairs for the strings you want to overridehttp://technet.microsoft.com/en-us/library/jj134312(v=ws.10)

<?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root>

SSPR and Historical Reporting

Historical Reporting for FIM ServiceBuilt on data warehouse in System Center Service ManagerExtensible schemaExtensible reports

TracksGroup membership changesObject changes: users, groups, sets, MPRs, requests, …

Procedures

Defining password reset policy is the first stepConfigure the gatesChoose registration approach

Interactive registration by the usersProgrammatic registration by an administrator

Customize password reset portal (optional)Distribute FIM Client to desktops (optional)

Summary of Options in FIM 2010 R2User Interface • Windows client logon

• Web portals – cross browser, mobile devices

Authentication • QA gate with configurable of answers allowed

• Challenge sent via SMS or email

Configuration • Create MPR, Sets, workflows in FIM Portal• Configuration migration• Quickstart

Registration • User self-registration at Portal• Programmatic registration cmdlets

Reporting • FIM Portal for recent requests • FIM Reporting (DW) for historical changes

Takeaways: FIM self-service password reset

Reduces helpdesk costs

Improves compliance outcomes

Increases user productivity and satisfaction

Questions?

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.