1 / 42

SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2

SIA313. SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2. Mark Wahl, CISA Principal Program Manager Microsoft Corporation. Scenario: FIM self-service password reset. Users can reset their own passwords

petunia
Télécharger la présentation

SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIA313 SIA313:Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft Corporation

  2. Scenario: FIM self-service password reset • Users can reset their own passwords • Starts from a domain-joined PC or any browser • Challenges user (questions, SMS, email) • User chooses a new password • Reduces helpdesk costs • Improves compliance outcomes • Increases user productivity and satisfaction

  3. General Availability this month • FIM 2010 R2 • Adds web-based password reset and historical reporting • Additional Connectors for FIM • Microsoft BHOLD Suite

  4. Meeting Customer RequirementsKey Asks from TechEd 2011 for FIM SSPR Allow reset in morescenarios • Broader browser support • Mobile device support Meet stricter security requirements • Enhanced Q&A authentication gate • SMS authentication gate • Email authentication gate Improved end user and administrator experiences • Portal customization • Programmatic registration • Streamlined deployment

  5. Agenda • Installation • Quickstart • Authentication Challenge Gates • Programmatic Registration • Password Reset Portal Customization • For More Information

  6. FIM 2010 R2 SSPR Components • FIM Sync • FIM Service • FIM Portal • FIM Password Registration and Reset Portals (new) • FIM Client (Windows Extension and Outlook Add-In) • FIM Sync PCNS (Optional)

  7. FIM 2010 R2 Password Reset ComponentsExample Topology Internet Intranet IIS FIM Service FIM Sync Service FIM Password Reset Portal End User AD Reverse Proxy Browser FIM Password Registration Portal Mobile Phone Windows End User FIM Password Reset Extensions (optional) Browser SharePoint FIM Admin Email provider(optional) Other Directories (optional) Internet Explorer FIM Portal SMS Provider (optional)

  8. Installation Process • FIM Sync • FIM Service and Portal • FIM Password Portals (new in R2) • FIM Client • Language Packs

  9. Installation of FIM Password Portals 1 Choose to install Password Portals

  10. Installation of FIM Password Portals 2 Specify whether host is extranet accessible

  11. Installation of FIM Password Portals 3 Specify AD user account for Portal

  12. Installation of FIM Password Portals 4 Password Portals visible in IIS Manager

  13. FIM Password PortalsPost installation configuration • Configure SSL • Ensure appropriate Kerberos configuration • http://setspn.blogspot.com/search/label/Kerberos • http:/social.technet.microsoft.com/wiki/contents/articles/3385.aspx • http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx • http://support.microsoft.com/kb/929650 • Proxy configuration (if Internet-facing)

  14. Install Language Packs

  15. Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish

  16. QuickStart for SSPR • PowerShell cmdlet that • Creates AD MA & FIM MA in FIM Sync • Creates sync rules to sync users from one OU into the FIM Service • Executes initial sync operations (optional) • Enables MPRs for password reset scenarios

  17. Invoke-Quickstart –Container <String> -DatabaseName <String> -DatabaseServer <String> -ForefrontIdentityManagerServiceBaseAddress <String> -ForefrontIdentityManagerManagementAgentCredential <PSCredential> -Forest <String> -ActiveDirectoryManagementAgentCredential <PSCredential> [-RunInitialLoad [<Boolean>]] [-WhatIf] [-Confirm] [<CommonParameters>]

  18. Password Reset Policy • Determine categories of users for password reset policy • Security requirements • Applicability of authentication methods • User language preference • Implement password reset policy for each category of user • FIM resources: set, management policy rule, and workflow • Each authentication workflow contains one or more gates • Optionally configure a workflow so that one or more gates apply only to requests from extranet

  19. Authentication Gates

  20. Interactive Registration – QA Gate • Admin can configure number of questions user can choose from, and the minimum number user must answer to register • User sees admin-defined questions and enters answers to questions • FIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)

  21. QA Gate Configuration Number of questions • in the gate • shown to the user • required for registration • required for reset Allowed answers Text to describe allowed answers to users

  22. Interactive Registration – OTP Gates • Data stored in two new attributes of users in FIM Service • OTPMobilePhone and OTPEmailAddress

  23. One-Time Password Email Gate Whether email address during registration is editable by user Length of one-time password Email template for sending the one-time password

  24. One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code

  25. One-Time Password SMS Gate Windows Server • Choose an SMS provider and establish a service relationship • Get documentation for the protocol/API which is implemented by the SMS service provider • Write SMS Provider to target this protocol/API • Compile this code into a DLL with a specific filename • Deploy this DLL to the host of the FIM Service machine into a specific location FIM Service User’s Cellular Service Provider SMS Provider FIM OTP SMS Gate SMS Provider DLL User’s Cellphone

  26. One-Time Password SMS Gate: API public void SendSms( string mobileNumber, string message, GuidrequestId, Dictionary<string, object> deliveryAttributes ) • Interface ISmsServiceProvider contains the function declaration. • Interface is present in assembly Microsoft.IdentityManagement.SmsServiceProviderContract.dll Lab guide with sample code here: http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx

  27. Programmatic Registration • Administrators can programmatically register or unregister a user from an authentication workflow • Implementation: PowerShell cmdlets • Deployed with FIM Service component, in FIMAutomationPsSnapin

  28. New cmdlets Get-AuthenticationWorkflowRegistrationTemplate Register-AuthenticationWorkflow Unregister-AuthenticationWorkflow Confirm-AuthenticationWorkflowRegistration

  29. Example – Migrate to FIM SSPR

  30. Example – Register during Onboarding

  31. Example – Deregistration and Renewal

  32. SSPR Portal Customization • Admin can define overrides to password reset portal UI: • Theme: font, color, layout • Banner graphics • User interface text

  33. Password Portal Customization - Layout • Create Customizations folders for both portals • Default is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration” • Make a new Theme using CSS • Create a style.css file in the Customizations folder • Any .css rule in this Customizations\style.css will override the default css for the Password Portals • Documentation on TechNet describes which css elements are supported for customization: http://technet.microsoft.com/en-us/library/jj134297(v=ws.10) • Example: change the logo • Create a logo (e.g., mylogo.png) in the Customizations folder • Create a style.css file in the Customizations folder with this content: • .title-block{background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent;}

  34. Password Portal Customization - Text <?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --><data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data></root> • Create a file ‘strings.resx’ in the Customizations folder • Provide key-value pairs for the strings you want to override http://technet.microsoft.com/en-us/library/jj134312(v=ws.10)

  35. SSPR and Historical Reporting • Historical Reporting for FIM Service • Built on data warehouse in System Center Service Manager • Extensible schema • Extensible reports • Tracks • Group membership changes • Object changes: users, groups, sets, MPRs, requests, …

  36. Procedures • Defining password reset policy is the first step • Configure the gates • Choose registration approach • Interactive registration by the users • Programmatic registration by an administrator • Customize password reset portal (optional) • Distribute FIM Client to desktops (optional)

  37. Summary of Options in FIM 2010 R2

  38. Takeaways: FIM self-service password reset • Reduces helpdesk costs • Improves compliance outcomes • Increases user productivity and satisfaction • Questions?

  39. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  40. Evaluations Submit your evals online http://europe.msteched.com/sessions

  41. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related