Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft.

Similar presentations


Presentation on theme: "SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft."— Presentation transcript:

1 SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft Corporation SIA313

2 Scenario: FIM self-service password reset Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS, ) User chooses a new password Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction

3

4 Allow reset in more scenarios Broader browser support Mobile device support Meet stricter security requirements Enhanced Q&A authentication gate SMS authentication gate authentication gate Improved end user and administrator experiences Portal customization Programmatic registration Streamlined deployment

5

6

7 FIM 2010 R2 Password Reset Components Example Topology Internet Browser Reverse Proxy FIM Password Reset Portal FIM Password Reset Portal FIM Password Registration Portal FIM Service FIM Service AD Windows FIM Password Reset Extensions (optional) FIM Password Reset Extensions (optional) FIM Sync Service SharePoint FIM Portal Internet Explorer Internet Explorer End User FIM Admin Browser SMS Provider (optional) provider (optional) Other Directories (optional) IIS Intranet Mobile Phone

8

9 Installation of FIM Password Portals Choose to install Password Portals

10 Installation of FIM Password Portals Specify whether host is extranet accessible

11 Installation of FIM Password Portals Specify AD user account for Portal

12 Installation of FIM Password Portals Password Portals visible in IIS Manager

13 Configure SSL Ensure appropriate Kerberos configuration kerberos-authentication-with-iis-7-0.aspx Proxy configuration (if Internet-facing)

14

15 Localization Password Reset & Registration Portals, FIM Password Reset Extensions FIM Portal and Service 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish

16

17 ParameterDescription -ContainerThe organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R2. -DatabaseNameThe Forefront Identity Manager 2010 R2 service database name. -DatabaseServerThe Forefront Identity Manager 2010 R2 Service database server. -ForefrontIdentityManagerServiceBaseAddressThe Forefront Identity Manager 2010 R2 service base URI. -RunInitialLoadIndicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R2 will be run automatically or not.

18

19 GateReachSecured byConsiderations QA GateAll usersUser knowledge Usability of questions with sufficient security OTP SMS GateUsers with SMS- capable mobile phones Access to mobile phone Requires contract & integration with SMS service provider OTP GateUsers with accounts (not the same Exchange server) Access to account Compliance with organizational security policies

20

21 Number of questions in the gate shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users

22 User ExperienceHow to Achieve this Experience User enters mobile phone number and/or address Configure gate to be Read-Write (default) User sees mobile phone number and/or address, and can edit this data inline with the registration user experience Configure gate to be Read-Write Set value of users OTPMobilePhone and/or OTP Address (e.g., via workflow, custom client) User sees mobile phone number and/or address, but cannot edit it inline Configure gate to be Read Only Set value of users OTPMobilePhone and/or OTP Address (e.g., via sync)

23 Whether address during registration is editable by user Length of one-time password template for sending the one-time password

24 One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code

25 Windows Server One-Time Password SMS Gate Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location FIM Service FIM OTP SMS Gate SMS Provider DLL SMS Provider Users Cellular Service Provider Users Cellphone

26 One-Time Password SMS Gate: API public void SendSms( string mobileNumber, string message, Guid requestId, Dictionary deliveryAttributes )

27

28 PurposeGets template for an authentication workflow Required ParametersAuthenticationWorkflowName PurposeRegisters one user for one authentication workflow Required ParametersUserName, AuthenticationWorkflowName PurposeUnregisters one user from one authentication workflow Required ParametersUserName, AuthenticationWorkflowName PurposeReturns true if the specified user is registered for the specified workflow, otherwise returns false Required ParametersUserName, AuthenticationWorkflowName

29 ScenarioMigrate to FIM Password Reset without requiring registered users to re-register GoalRegister existing users for FIM Password Reset using without user interaction ApproachRead users password registration data from existing solution Use this data to register users for FIM Password reset with the Register-AuthenticationWorkflow cmdlet

30 ScenarioOrganization has existing business process that collects all data needed for password reset GoalRegister existing and new users for FIM Password Reset without user interaction ApproachNew users Script to get new/updated data & invoke the Register-AuthenticationWorkflow cmdlet

31 ScenarioOrganization wants users to periodically re-register for FIM Password Reset GoalCause users to be prompted for re-registration on a defined schedule ApproachImplement a process to identify users who are targeted for reregistration Schedule periodic run of a script to deregister targeted users

32 SSPR Portal Customization Admin can define overrides to password reset portal UI: Theme: font, color, layout Banner graphics User interface text

33

34 text/microsoft-resx 2.0 System.Resources.ResXResourceReader, System.Windows.Forms, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Resources.ResXResourceWriter, System.Windows.Forms, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e089 Customized String Value

35

36

37 Summary of Options in FIM 2010 R2 User Interface Windows client logon Web portals – cross browser, mobile devices Authentication QA gate with configurable of answers allowed Challenge sent via SMS or Configuration Create MPR, Sets, workflows in FIM Portal Configuration migration Quickstart Registration User self-registration at Portal Programmatic registration cmdlets Reporting FIM Portal for recent requests FIM Reporting (DW) for historical changes

38 Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction

39 Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

40 Evaluations Submit your evals online

41

42


Download ppt "SIA313: Self-Service Password Reset for Active Directory with Microsoft Forefront Identity Manager 2010 R2 Mark Wahl, CISA Principal Program Manager Microsoft."

Similar presentations


Ads by Google