Understanding Password Reset
Applies To: Forefront Identity Manager 2010
Microsoft Forefront™ Identity Manager 2010 (FIM 2010) includes a password reset and registration feature. By using this feature, users can reset their passwords from the Microsoft Windows® logon screen after they complete an authentication process to verify their identities.
If you have questions regarding the content of this document or if you have general feedback that you want to discuss, post a message to the Microsoft Forefront Identity Manager Discussion Forum (https://go.microsoft.com/fwlink/?LinkId=163230).
The following video about FIM Password Reset is also available on TechNet https://technet.microsoft.com/en-us/edge/using-the-password-reset-deployment-feature-in-forefront-identity-manager-fim-2010.aspx.
Introduction to Password Management in FIM 2010
As users become increasingly more mobile, the need to control password management inside a corporate network environment without incurring increasing help desk costs is important. FIM provides an easily accessible web portal that lets users register themselves, and authenticate and reset their passwords from:
Domain-joined computers on an intranet
A domain-joined kiosk computer on an intranet
This document discusses how the password management process works, and the requirements involved.
How Password Management Works
Password management in FIM 2010 consists of two components:
The FIM Password Reset Portal
The FIM Password Reset client, which is installed as part of the FIM Add-ins and Extensions.
To use password management, users must first register, which involves creating answers to a series of security questions. To reset their password, users will then be presented with these questions and they must provide the correct answers.
The password registration process involves these steps:
The user selects Register for password reset in the FIM Portal, which starts the password reset client.
The client displays a set of authentication challenge questions to the end user and gathers the end user response data, and then submits the response data to the FIM server.
The client returns a success or failure confirmation message to the user.
Initiating the request
When the user requests to register for password reset, the password reset client starts. The user enters their credentials, and the request is sent to the FIM server, which verifies that the user is authorized to participate in password registration and, if successful, returns the Question and Answer activity (also known as a gate) that the client displays to the end user.
Gathering the end user responses
The number and wording of the questions in the Question and Answer gate is configured in the workflow activity by the administrator, who can specify the following:
How many questions are created
How many questions are displayed during registration
How many questions are required to be answered for registration
How many questions are presented during the reset process
How many questions must be answered correctly during the reset process
When the user has answered and submitted the questions, the registration data will be verified for completeness and validity, and if successful, written to the FIM Service database. In the case of multiple Question and Answer gates, if the first gate is validated successfully, then the subsequent gates will be presented and processed as above.
If at any point, incomplete or invalid responses are entered, an appropriate error message will be returned to the user.
Confirming the request
When all the gates have been successfully completed and verified, a confirmation is displayed to the client.
When a user has registered successfully, he or she can then use the Password Reset Portal to reset a forgotten password. The password reset process involves the following steps:
The user selects Reset in the Password Reset Portal or on the Windows logon screen, and the client initiates the request to reset the password.
The client displays the authentication challenge questions that the user configured during registration, and then it submits the user's response data to the FIM Server.
If a Lockout Gate activity has been configured by the administrator, a specified number of incorrect attempts may prevent the user from attempting the password reset for a specified period of time or necessitate calling the help desk.
Upon successful verification, the application displays the client user interface to create a new password and submits the user's response.
The application returns a success or failure confirmation to the user.
Initiating the request
When the user requests to reset their password, the Password Reset Portal page is displayed to the user, displaying the challenge questions previously configured in the Question and Answer gate, which the Password Reset Registration Web Application displays to the end user.
Verifying the challenge responses
The challenge questions to which the user supplied answers during registration are displayed to the user. The number of questions displayed and the number of correct answers required depend on how the administrator configured the Question and Answer gate.
When the user has answered and submitted the questions, the response data will be validated. In the case of multiple Question and Answer gates, if the first gate is validated successfully, the subsequent gates will be presented and processed as above.
A Lockout Gate is an activity that can be attached to an Authorization Workflow. It is used to determine how many failed password reset attempts can be made before the user is locked out temporarily or permanently. Within a Lockout Gate activity, the administrator can modify:
The Lockout Threshold, which is the number of times that a user can fail to answer the minimum number of answers correctly.
How long the user is locked out after each Lockout Threshold is reached.
The number of Lockout Thresholds that can occur before the user is permanently locked out.
Resetting the password
When all the Question and Answer gates have been successfully completed and verified, the password reset page is displayed to the user, and the new password entered by the user is submitted.
Confirming the request
When the new password has been verified, a confirmation is displayed to the user.
Requirements for Password Reset Management in FIM 2010
If there is a firewall between the server running FIM and the server running Active Directory Domain Services (AD DS), the following ports must be opened in the firewall between the FIM Synchronization Server and the AD DS domain controller:
TCP/UDP 135 (RPC EPMapper)
TCP/UDP 389 (LDAP, LDAP Ping)
TCP 636 (LDAP over SSL)
TCP 3268 (GC)
TCP 3269 (GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP Dynamic (RPC)
TCP/UDP 464 (Kerberos Change/Set Password)
TCP 445 – (CIFS/ MICROSOFT-DS)
To facilitate Windows Management Instrumentation (WMI) communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:
TCP/UDP 135 (RPC EPMapper)
TCP 135 (RPC EPMapper)
TCP 5000-5001 Dynamic RPC ports (PCNS)
TCP 57500-57520 Dynamic RPC ports (AD MA)
Required Management Policy Rules
There are seven Management Policy Rules (MPRs) that are necessary for deploying the Password Reset feature in FIM. These MPRs are installed by default, but they will have to be enabled to deploy Password Reset.
Two of the required MPRs are non-password-specific, as described in the following table.
“General: Users can read non-administrative configuration resources”
This MPR grants permissions to users to read nonadministrative configuration resources, for example:
For more information about configuration resources, see Understanding Configuring and Customizing the FIM Portal.
“User management: Users can read attributes of their own”
This MPR grants users permission to read their own information, for example, DisplayName. This is used when displaying a welcoming message to the user.
“Anonymous users can reset their password”
This MPR gives users the permissions to read the attributes necessary to initiate the password reset registration process.
“Password reset users can read password reset objects”
For users to reset their passwords, the client server that requests the password reset must be able to locate and read the MPR that is associated with the user they are claiming to be.
“Password reset users can update the lockout attribute of themselves”
This MPR grants permissions to the user to update the lockout count attribute.When a user successfully registers or resets their password, the lockout count is reset. For that update to happen to the lockout count, the user must have permissions to update it.
“Users can create registration objects for themselves”
This MPR grants users the permissions to create gate registration resources. A gate registration resource is the resource that stores the user's registration data in FIM.
“Users can modify registration objects for themselves”
This MPR grants users the permissions to modify gate registration resources. A gate registration resource is the resource that stores the user's registration data in FIM.