500 likes | 1.35k Vues
SIA313. SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2. Mark Wahl, CISA Principal Program Manager Microsoft Corporation. Scenario: FIM self-service password reset. Users can reset their own passwords
E N D
SIA313 SIA313:Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft Corporation
Scenario: FIM self-service password reset • Users can reset their own passwords • Starts from a domain-joined PC or any browser • Challenges user (questions, SMS, email) • User chooses a new password • Reduces helpdesk costs • Improves compliance outcomes • Increases user productivity and satisfaction
General Availability this month • FIM 2010 R2 • Adds web-based password reset and historical reporting • Additional Connectors for FIM • Microsoft BHOLD Suite
Meeting Customer RequirementsKey Asks from TechEd 2011 for FIM SSPR Allow reset in morescenarios • Broader browser support • Mobile device support Meet stricter security requirements • Enhanced Q&A authentication gate • SMS authentication gate • Email authentication gate Improved end user and administrator experiences • Portal customization • Programmatic registration • Streamlined deployment
Agenda • Installation • Quickstart • Authentication Challenge Gates • Programmatic Registration • Password Reset Portal Customization • For More Information
FIM 2010 R2 SSPR Components • FIM Sync • FIM Service • FIM Portal • FIM Password Registration and Reset Portals (new) • FIM Client (Windows Extension and Outlook Add-In) • FIM Sync PCNS (Optional)
FIM 2010 R2 Password Reset ComponentsExample Topology Internet Intranet IIS FIM Service FIM Sync Service FIM Password Reset Portal End User AD Reverse Proxy Browser FIM Password Registration Portal Mobile Phone Windows End User FIM Password Reset Extensions (optional) Browser SharePoint FIM Admin Email provider(optional) Other Directories (optional) Internet Explorer FIM Portal SMS Provider (optional)
Installation Process • FIM Sync • FIM Service and Portal • FIM Password Portals (new in R2) • FIM Client • Language Packs
Installation of FIM Password Portals 1 Choose to install Password Portals
Installation of FIM Password Portals 2 Specify whether host is extranet accessible
Installation of FIM Password Portals 3 Specify AD user account for Portal
Installation of FIM Password Portals 4 Password Portals visible in IIS Manager
FIM Password PortalsPost installation configuration • Configure SSL • Ensure appropriate Kerberos configuration • http://setspn.blogspot.com/search/label/Kerberos • http:/social.technet.microsoft.com/wiki/contents/articles/3385.aspx • http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx • http://support.microsoft.com/kb/929650 • Proxy configuration (if Internet-facing)
Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish
QuickStart for SSPR • PowerShell cmdlet that • Creates AD MA & FIM MA in FIM Sync • Creates sync rules to sync users from one OU into the FIM Service • Executes initial sync operations (optional) • Enables MPRs for password reset scenarios
Invoke-Quickstart –Container <String> -DatabaseName <String> -DatabaseServer <String> -ForefrontIdentityManagerServiceBaseAddress <String> -ForefrontIdentityManagerManagementAgentCredential <PSCredential> -Forest <String> -ActiveDirectoryManagementAgentCredential <PSCredential> [-RunInitialLoad [<Boolean>]] [-WhatIf] [-Confirm] [<CommonParameters>]
Password Reset Policy • Determine categories of users for password reset policy • Security requirements • Applicability of authentication methods • User language preference • Implement password reset policy for each category of user • FIM resources: set, management policy rule, and workflow • Each authentication workflow contains one or more gates • Optionally configure a workflow so that one or more gates apply only to requests from extranet
Interactive Registration – QA Gate • Admin can configure number of questions user can choose from, and the minimum number user must answer to register • User sees admin-defined questions and enters answers to questions • FIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)
QA Gate Configuration Number of questions • in the gate • shown to the user • required for registration • required for reset Allowed answers Text to describe allowed answers to users
Interactive Registration – OTP Gates • Data stored in two new attributes of users in FIM Service • OTPMobilePhone and OTPEmailAddress
One-Time Password Email Gate Whether email address during registration is editable by user Length of one-time password Email template for sending the one-time password
One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code
One-Time Password SMS Gate Windows Server • Choose an SMS provider and establish a service relationship • Get documentation for the protocol/API which is implemented by the SMS service provider • Write SMS Provider to target this protocol/API • Compile this code into a DLL with a specific filename • Deploy this DLL to the host of the FIM Service machine into a specific location FIM Service User’s Cellular Service Provider SMS Provider FIM OTP SMS Gate SMS Provider DLL User’s Cellphone
One-Time Password SMS Gate: API public void SendSms( string mobileNumber, string message, GuidrequestId, Dictionary<string, object> deliveryAttributes ) • Interface ISmsServiceProvider contains the function declaration. • Interface is present in assembly Microsoft.IdentityManagement.SmsServiceProviderContract.dll Lab guide with sample code here: http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx
Programmatic Registration • Administrators can programmatically register or unregister a user from an authentication workflow • Implementation: PowerShell cmdlets • Deployed with FIM Service component, in FIMAutomationPsSnapin
New cmdlets Get-AuthenticationWorkflowRegistrationTemplate Register-AuthenticationWorkflow Unregister-AuthenticationWorkflow Confirm-AuthenticationWorkflowRegistration
SSPR Portal Customization • Admin can define overrides to password reset portal UI: • Theme: font, color, layout • Banner graphics • User interface text
Password Portal Customization - Layout • Create Customizations folders for both portals • Default is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration” • Make a new Theme using CSS • Create a style.css file in the Customizations folder • Any .css rule in this Customizations\style.css will override the default css for the Password Portals • Documentation on TechNet describes which css elements are supported for customization: http://technet.microsoft.com/en-us/library/jj134297(v=ws.10) • Example: change the logo • Create a logo (e.g., mylogo.png) in the Customizations folder • Create a style.css file in the Customizations folder with this content: • .title-block{background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent;}
Password Portal Customization - Text <?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --><data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data></root> • Create a file ‘strings.resx’ in the Customizations folder • Provide key-value pairs for the strings you want to override http://technet.microsoft.com/en-us/library/jj134312(v=ws.10)
SSPR and Historical Reporting • Historical Reporting for FIM Service • Built on data warehouse in System Center Service Manager • Extensible schema • Extensible reports • Tracks • Group membership changes • Object changes: users, groups, sets, MPRs, requests, …
Procedures • Defining password reset policy is the first step • Configure the gates • Choose registration approach • Interactive registration by the users • Programmatic registration by an administrator • Customize password reset portal (optional) • Distribute FIM Client to desktops (optional)
Takeaways: FIM self-service password reset • Reduces helpdesk costs • Improves compliance outcomes • Increases user productivity and satisfaction • Questions?
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
Evaluations Submit your evals online http://europe.msteched.com/sessions
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.