Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mark Wahl, CISA Principal Program Manager Microsoft Corporation

Similar presentations


Presentation on theme: "Mark Wahl, CISA Principal Program Manager Microsoft Corporation"— Presentation transcript:

1 Mark Wahl, CISA Principal Program Manager Microsoft Corporation
4/1/2017 3:12 PM SIA313 SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Scenario: FIM self-service password reset
Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS, ) User chooses a new password Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction

3 General Availability this month
FIM 2010 R2 Adds web-based password reset and historical reporting Additional Connectors for FIM Microsoft BHOLD Suite

4 Meeting Customer Requirements Key Asks from TechEd 2011 for FIM SSPR
Allow reset in more scenarios Broader browser support Mobile device support Meet stricter security requirements Enhanced Q&A authentication gate SMS authentication gate authentication gate Improved end user and administrator experiences Portal customization Programmatic registration Streamlined deployment

5 Agenda Installation Quickstart Authentication Challenge Gates
Programmatic Registration Password Reset Portal Customization For More Information

6 FIM 2010 R2 SSPR Components FIM Sync FIM Service FIM Portal
FIM Password Registration and Reset Portals (new) FIM Client (Windows Extension and Outlook Add-In) FIM Sync PCNS (Optional)

7 FIM 2010 R2 Password Reset Components Example Topology
Internet Intranet IIS FIM Service FIM Sync Service FIM Password Reset Portal End User AD Browser Reverse Proxy FIM Password Registration Portal Mobile Phone Windows End User FIM Password Reset Extensions (optional) Browser SharePoint FIM Admin provider (optional) Other Directories (optional) Internet Explorer FIM Portal SMS Provider (optional)

8 Installation Process FIM Sync FIM Service and Portal
FIM Password Portals (new in R2) FIM Client Language Packs

9 Installation of FIM Password Portals
1 Choose to install Password Portals

10 Installation of FIM Password Portals
2 Specify whether host is extranet accessible

11 Installation of FIM Password Portals
3 Specify AD user account for Portal

12 Installation of FIM Password Portals
4 Password Portals visible in IIS Manager

13 FIM Password Portals Post installation configuration
Configure SSL Ensure appropriate Kerberos configuration Proxy configuration (if Internet-facing)

14 Install Language Packs

15 Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish

16 QuickStart for SSPR PowerShell cmdlet that
Creates AD MA & FIM MA in FIM Sync Creates sync rules to sync users from one OU into the FIM Service Executes initial sync operations (optional) Enables MPRs for password reset scenarios

17 Invoke-Quickstart –Container <String> -DatabaseName <String> -DatabaseServer <String> -ForefrontIdentityManagerServiceBaseAddress <String> -ForefrontIdentityManagerManagementAgentCredential <PSCredential> -Forest <String> -ActiveDirectoryManagementAgentCredential <PSCredential> [-RunInitialLoad [<Boolean>]] [-WhatIf] [-Confirm] [<CommonParameters>] Parameter Description -Container The organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R2. -DatabaseName The Forefront Identity Manager 2010 R2 service database name. -DatabaseServer The Forefront Identity Manager 2010 R2 Service database server. -ForefrontIdentityManagerServiceBaseAddress The Forefront Identity Manager 2010 R2 service base URI. -RunInitialLoad Indicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R2 will be run automatically or not.

18 Password Reset Policy Determine categories of users for password reset policy Security requirements Applicability of authentication methods User language preference Implement password reset policy for each category of user FIM resources: set, management policy rule, and workflow Each authentication workflow contains one or more gates Optionally configure a workflow so that one or more gates apply only to requests from extranet

19 Authentication Gates Gate Reach Secured by Considerations QA Gate
All users User knowledge Usability of questions with sufficient security OTP SMS Gate Users with SMS-capable mobile phones Access to mobile phone Requires contract & integration with SMS service provider OTP Gate Users with accounts (not the same Exchange server) Access to account Compliance with organizational security policies

20 Interactive Registration – QA Gate
Admin can configure number of questions user can choose from, and the minimum number user must answer to register User sees admin-defined questions and enters answers to questions FIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)

21 QA Gate Configuration Number of questions in the gate
shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users

22 Interactive Registration – OTP Gates
Data stored in two new attributes of users in FIM Service OTPMobilePhone and OTP Address User Experience How to Achieve this Experience User enters mobile phone number and/or address Configure gate to be “Read-Write” (default) User sees mobile phone number and/or address, and can edit this data inline with the registration user experience Configure gate to be “Read-Write” Set value of users’ OTPMobilePhone and/or OTP Address (e.g., via workflow, custom client) User sees mobile phone number and/or address, but cannot edit it inline Configure gate to be “Read Only” Set value of users’ OTPMobilePhone and/or OTP Address (e.g., via sync)

23 One-Time Password Email Gate
Whether address during registration is editable by user Length of one-time password template for sending the one-time password

24 One-Time Password SMS Gate
Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code

25 One-Time Password SMS Gate
Windows Server FIM Service FIM OTP SMS Gate SMS Provider DLL SMS Provider User’s Cellular Service Provider User’s Cellphone Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location

26 One-Time Password SMS Gate: API
public void SendSms( string mobileNumber, string message, Guid requestId, Dictionary<string, object> deliveryAttributes ) Interface ISmsServiceProvider contains the function declaration. Interface is present in assembly Microsoft.IdentityManagement.SmsServiceProviderContract.dll Lab guide with sample code here:

27 Programmatic Registration
Administrators can programmatically register or unregister a user from an authentication workflow Implementation: PowerShell cmdlets Deployed with FIM Service component, in FIMAutomation PsSnapin

28 New cmdlets Get-AuthenticationWorkflowRegistrationTemplate
Register-AuthenticationWorkflow Unregister-AuthenticationWorkflow Confirm-AuthenticationWorkflowRegistration Purpose Gets template for an authentication workflow Required Parameters AuthenticationWorkflowName Purpose Registers one user for one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Unregisters one user from one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false Required Parameters UserName, AuthenticationWorkflowName

29 Example – Migrate to FIM SSPR
Scenario Migrate to FIM Password Reset without requiring registered users to re-register Goal Register existing users for FIM Password Reset using without user interaction Approach Read users’ password registration data from existing solution Use this data to register users for FIM Password reset with the Register-AuthenticationWorkflow cmdlet

30 Example – Register during Onboarding
Scenario Organization has existing business process that collects all data needed for password reset Goal Register existing and new users for FIM Password Reset without user interaction Approach New users Script to get new/updated data & invoke the Register-AuthenticationWorkflow cmdlet

31 Example – Deregistration and Renewal
Scenario Organization wants users to periodically re-register for FIM Password Reset Goal Cause users to be prompted for re-registration on a defined schedule Approach Implement a process to identify users who are targeted for reregistration Schedule periodic run of a script to deregister targeted users

32 SSPR Portal Customization
Admin can define overrides to password reset portal UI: Theme: font, color, layout Banner graphics User interface text

33 Password Portal Customization - Layout
Create Customizations folders for both portals Default is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration” Make a new Theme using CSS Create a style.css file in the Customizations folder Any .css rule in this Customizations\style.css will override the default css for the Password Portals Documentation on TechNet describes which css elements are supported for customization: Example: change the logo Create a logo (e.g., mylogo.png) in the Customizations folder Create a style.css file in the Customizations folder with this content: .title-block { background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent; }

34 Password Portal Customization - Text
Create a file ‘strings.resx’ in the Customizations folder Provide key-value pairs for the strings you want to override <?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root>

35 SSPR and Historical Reporting
Historical Reporting for FIM Service Built on data warehouse in System Center Service Manager Extensible schema Extensible reports Tracks Group membership changes Object changes: users, groups, sets, MPRs, requests, …

36 Procedures Defining password reset policy is the first step
Configure the gates Choose registration approach Interactive registration by the users Programmatic registration by an administrator Customize password reset portal (optional) Distribute FIM Client to desktops (optional)

37 Summary of Options in FIM 2010 R2
TechReady 14 4/1/2017 Summary of Options in FIM 2010 R2 User Interface Windows client logon Web portals – cross browser, mobile devices Authentication QA gate with configurable of answers allowed Challenge sent via SMS or Configuration Create MPR, Sets, workflows in FIM Portal Configuration migration Quickstart Registration User self-registration at Portal Programmatic registration cmdlets Reporting FIM Portal for recent requests FIM Reporting (DW) for historical changes © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Takeaways: FIM self-service password reset
Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction Questions?

39 Resources Learning TechNet http://europe.msteched.com
Connect. Share. Discuss. Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

40 Submit your evals online
4/1/2017 3:12 PM Evaluations Submit your evals online © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 4/1/2017 3:12 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42 4/1/2017 3:12 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Mark Wahl, CISA Principal Program Manager Microsoft Corporation"

Similar presentations


Ads by Google