sia313: self-service password reset for active directory with microsoft forefront identity manager...
TRANSCRIPT
SIA313:Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2
Mark Wahl, CISAPrincipal Program ManagerMicrosoft Corporation
SIA313
Scenario: FIM self-service password reset
Users can reset their own passwordsStarts from a domain-joined PC or any browserChallenges user (questions, SMS, email)User chooses a new password
Reduces helpdesk costsImproves compliance outcomesIncreases user productivity and satisfaction
General Availability this month
FIM 2010 R2Adds web-based password reset and historical reporting
Additional Connectors for FIM
Microsoft BHOLD Suite
Meeting Customer RequirementsKey Asks from TechEd 2011 for FIM SSPR
Allow reset in morescenarios
Broader browser support Mobile device support
Meet stricter security requirements
Enhanced Q&A authentication gate SMS authentication gate Email authentication gate
Improved end user and administrator experiences
Portal customization Programmatic registration Streamlined deployment
Agenda
InstallationQuickstartAuthentication Challenge GatesProgrammatic RegistrationPassword Reset Portal CustomizationFor More Information
FIM 2010 R2 SSPR Components
FIM SyncFIM ServiceFIM PortalFIM Password Registration and Reset Portals (new)FIM Client (Windows Extension and Outlook Add-In)FIM Sync PCNS (Optional)
FIM 2010 R2 Password Reset ComponentsExample Topology
Internet
BrowserReverse
Proxy
FIM Password Reset Portal
FIM Password Registration
Portal
FIM Service AD
Windows
FIM Password Reset
Extensions(optional)
FIM Sync Service
SharePoint
FIM PortalInternetExplorer
End User
End User
FIM Admin
Browser
SMS Provider (optional)
Email provider
(optional)
Other Directories (optional)
IIS Intranet
Mobile Phone
Installation Process
FIM SyncFIM Service and PortalFIM Password Portals (new in R2)FIM ClientLanguage Packs
Installation of FIM Password Portals
1
Choose to install Password Portals
Installation of FIM Password Portals
2
Specify whether host is extranet accessible
Installation of FIM Password Portals
3
Specify AD user account for Portal
Installation of FIM Password Portals
4
Password Portals visible in IIS Manager
FIM Password PortalsPost installation configuration
Configure SSL
Ensure appropriate Kerberos configurationhttp://setspn.blogspot.com/search/label/Kerberoshttp:/social.technet.microsoft.com/wiki/contents/articles/3385.aspxhttp://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspxhttp://support.microsoft.com/kb/929650
Proxy configuration (if Internet-facing)
Install Language Packs
Localization Password Reset & Registration Portals, FIM Password Reset Extensions
FIM Portal and Service
33 languagesBulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian
19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish
QuickStart for SSPR
PowerShell cmdlet thatCreates AD MA & FIM MA in FIM SyncCreates sync rules to sync users from one OU into the FIM ServiceExecutes initial sync operations (optional)Enables MPRs for password reset scenarios
Invoke-Quickstart–Container <String> -DatabaseName <String> -DatabaseServer <String> -ForefrontIdentityManagerServiceBaseAddress <String> -ForefrontIdentityManagerManagementAgentCredential <PSCredential> -Forest <String> -ActiveDirectoryManagementAgentCredential <PSCredential> [-RunInitialLoad [<Boolean>]] [-WhatIf] [-Confirm] [<CommonParameters>]
Parameter Description
-Container The organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R2.
-DatabaseName The Forefront Identity Manager 2010 R2 service database name.
-DatabaseServer The Forefront Identity Manager 2010 R2 Service database server.
-ForefrontIdentityManagerServiceBaseAddress The Forefront Identity Manager 2010 R2 service base URI.
-RunInitialLoad Indicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R2 will be run automatically or not.
Password Reset Policy
Determine categories of users for password reset policy
Security requirementsApplicability of authentication methodsUser language preference
Implement password reset policy for each category of user
FIM resources: set, management policy rule, and workflowEach authentication workflow contains one or more gatesOptionally configure a workflow so that one or more gates apply only to requests from extranet
Authentication Gates
Gate Reach Secured by Considerations
QA Gate All users User knowledge
Usability of questions with sufficient security
OTP SMS Gate
Users with SMS-capable mobile phones
Access to mobile phone
Requires contract & integration with SMS service provider
OTP Email Gate
Users with email accounts (not the same Exchange server)
Access to email account
Compliance with organizational security policies
Interactive Registration – QA Gate
Admin can configure number of questions user can choose from, and the minimum number user must answer to register
User sees admin-defined questions and enters answers to questions
FIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)
QA Gate Configuration
Number of questions• in the gate• shown to the user• required for registration• required for reset
Allowed answers
Text to describe allowed answers to users
Interactive Registration – OTP GatesData stored in two new attributes of users in FIM Service
OTPMobilePhone and OTPEmailAddress
User Experience How to Achieve this Experience
User enters mobile phone number and/or email address
• Configure gate to be “Read-Write” (default)
User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience
• Configure gate to be “Read-Write”• Set value of users’ OTPMobilePhone and/or
OTP EmailAddress (e.g., via workflow, custom client)
User sees mobile phone number and/or email address, but cannot edit it inline
• Configure gate to be “Read Only”• Set value of users’ OTPMobilePhone and/or
OTP EmailAddress (e.g., via sync)
One-Time Password Email Gate
Whether email address during registration is editable by user
Length of one-time password
Email template for sending the one-time password
One-Time Password SMS Gate
Whether mobile phone is editable by user
Length of one-time password
SMS text message that contains the security code
Windows Server
One-Time Password SMS Gate
Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service providerWrite SMS Provider to target this protocol/APICompile this code into a DLL with a specific filenameDeploy this DLL to the host of the FIM Service machine into a specific location
FIM Service
FIM OTP SMS
Gate
SMS Provider
DLL
SMS Provider
User’s Cellular Service Provider
User’sCellphone
One-Time Password SMS Gate: API
public void SendSms(string mobileNumber, string message,Guid requestId,Dictionary<string, object> deliveryAttributes
)
Interface ISmsServiceProvider contains the function declaration. Interface is present in assembly Microsoft.IdentityManagement.SmsServiceProviderContract.dll
Lab guide with sample code here: http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx
Programmatic Registration
Administrators can programmatically register or unregister a user from an authentication workflow
Implementation: PowerShell cmdletsDeployed with FIM Service component, in FIMAutomation PsSnapin
New cmdletsGet-AuthenticationWorkflowRegistrationTemplate
Register-AuthenticationWorkflow
Unregister-AuthenticationWorkflow
Confirm-AuthenticationWorkflowRegistration
Purpose Gets template for an authentication workflow
Required Parameters
AuthenticationWorkflowName
Purpose Registers one user for one authentication workflow
Required Parameters
UserName, AuthenticationWorkflowName
Purpose Unregisters one user from one authentication workflow
Required Parameters
UserName, AuthenticationWorkflowName
Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false
Required Parameters
UserName, AuthenticationWorkflowName
Scenario Migrate to FIM Password Reset without requiring registered users to re-register
Goal Register existing users for FIM Password Reset using without user interaction
Approach Read users’ password registration data from existing solution
Use this data to register users for FIM Password reset with the Register-AuthenticationWorkflow cmdlet
Example – Migrate to FIM SSPR
Scenario Organization has existing business process that collects all data needed for password reset
Goal Register existing and new users for FIM Password Reset without user interaction
Approach New users • Script to get new/updated data & invoke the
Register-AuthenticationWorkflow cmdlet
Example – Register during Onboarding
Scenario Organization wants users to periodically re-register for FIM Password Reset
Goal Cause users to be prompted for re-registration on a defined schedule
Approach Implement a process to identify users who are targeted for reregistrationSchedule periodic run of a script to deregister targeted users
Example – Deregistration and Renewal
SSPR Portal Customization
Admin can define overrides to password reset portal UI:Theme: font, color, layoutBanner graphicsUser interface text
Password Portal Customization - LayoutCreate Customizations folders for both portals
Default is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration”
Make a new Theme using CSSCreate a style.css file in the Customizations folderAny .css rule in this Customizations\style.css will override the default css for the Password PortalsDocumentation on TechNet describes which css elements are supported for customization: http://technet.microsoft.com/en-us/library/jj134297(v=ws.10)
Example: change the logoCreate a logo (e.g., mylogo.png) in the Customizations folder Create a style.css file in the Customizations folder with this content:
.title-block{ background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent;}
Password Portal Customization - TextCreate a file ‘strings.resx’ in the Customizations folder
Provide key-value pairs for the strings you want to overridehttp://technet.microsoft.com/en-us/library/jj134312(v=ws.10)
<?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root>
SSPR and Historical Reporting
Historical Reporting for FIM ServiceBuilt on data warehouse in System Center Service ManagerExtensible schemaExtensible reports
TracksGroup membership changesObject changes: users, groups, sets, MPRs, requests, …
Procedures
Defining password reset policy is the first stepConfigure the gatesChoose registration approach
Interactive registration by the usersProgrammatic registration by an administrator
Customize password reset portal (optional)Distribute FIM Client to desktops (optional)
Summary of Options in FIM 2010 R2User Interface • Windows client logon
• Web portals – cross browser, mobile devices
Authentication • QA gate with configurable of answers allowed
• Challenge sent via SMS or email
Configuration • Create MPR, Sets, workflows in FIM Portal• Configuration migration• Quickstart
Registration • User self-registration at Portal• Programmatic registration cmdlets
Reporting • FIM Portal for recent requests • FIM Reporting (DW) for historical changes
Takeaways: FIM self-service password reset
Reduces helpdesk costs
Improves compliance outcomes
Increases user productivity and satisfaction
Questions?
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.