Step 7: Configure Self-Service Password Reset
Configuring Password Reset consists of the following steps:
Add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups
Enable password management on the AD Management Agent
Enable CORP\FIMService privileges in WMI on FIM1
Allow WMI traffic through the Windows Firewall on FIM1
Enable DCOM for CORP\FIMService on FIM1
Change the default Q&A questions in the workflow
Enable the required MPRs
Install the Rich-client on CLIENT1
Add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups
In this step we will add the FIM Service account to the two required groups for implementing SSPR.
To add CORP\FIMService to the local FIMSyncBrowse and FIMSyncPasswordSet groups
Log on to FIM1.corp.contoso.com as Administrator.
Click Start, select Administrative Tools, and then click Computer Management. This will open the Computer Management MMC.
In the Computer Management MMC, from the tree-view on the left, expand Local Users and Groups, and then select Groups.
In the center pane, right-click FIMSyncBrowse and select Properties. This will bring up the FIMSyncBrowse Properties.
Click Add.
This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.
In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
CORP\FIMService
This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.Click Apply.
Click OK.
In the center pane, right-click FIMSyncPasswordSet and select Properties. This will bring up the FIMSyncPasswordSet Properties.
Click Add.
This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.
In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
CORP\FIMService
This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.Click Apply.
Click OK.
Close Computer Management.
Click Start, select Administrative Tools, and then click Services.
Scroll down and right-click Forefront Identity Manager Service, and then select Stop. This will stop the Forefront Identity Manager Service.
Scroll down and right-click Forefront Identity Manager Synchronization Service, and then select Stop. This will stop the Forefront Identity Manager Synchronization Service.
Right-click Forefront Identity Manager Service, and then select Start. This will start the Forefront Identity Manager Service.
Right-click Forefront Identity Manager Synchronization Service, and then select Start. This will stop the Forefront Identity Manager Synchronization Service.
Close Services.
Enable password management on the AD Management Agent
In order for AD DS to process the password reset requests, we must enable password management on the AD management agent created in the preceding step.
To enable password management on the AD Management Agent
Log on to FIM1 as CORP\Administrator.
Click Start, select All Programs, select Microsoft Forefront Identity Manager, and click Synchronization Service.
At the top of the Synchronization Service, click Management Agents.
Select the AD management agent and on the right under Actions select Properties. This will bring up the AD management agent properties.
In the properties window, click Configure Extensions and place a check in Enable password management.
Click OK.
Enable CORP\FIMService privileges in WMI on FIM1
The FIM Service account must have security access to the namespace and subnamespaces on the FIM 2010 R2 server.
To enable CORP\FIMService privileges in WMI on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, select Administrative Tools, and click Server Manager.
In Server Manager, expand Configuration, right-click WMI Controls and select Properties.
Click the Security tab.
Expand Root, select CIMV2, and then click the Security button. This will bring up the Security for ROOT\CIMV2.
On Security for ROOT\CIMV2, click Add.
On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
When the service account name resolves successfully, it appears underlined.Click OK.
On Security for ROOT\CIMV2, for CORP\FIMService ensure that Allow is selected for Enable Account.
On Security for ROOT\CIMV2, for CORP\FIMService select Allow for Remote Enable.
Click Advanced. This will bring up the Advanced Security Settings for CIMV2.
On Advanced Security Settings for CIMV2, select FIM Service (FIMService@corp.contoso.com) and then click Edit. This will bring up Permission Entry for CIMV2.
On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.
Click OK.
On Advanced Security Settings for CIMV2, click Apply, and then click OK.
On Security for ROOT\CIMV2, click OK.
On WMI Control Properties, click OK.
Close Server Manager.
Allow WMI traffic through the Windows Firewall on FIM1
The FIM1 server needs to allow WMI traffic through the firewall.
To allow WMI traffic through the Windows Firewall on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, and then click Control Panel.
In Control Panel, click Windows Firewall.
On Windows Firewall, select Allow a program or feature through Windows Firewall.
On Allowed Programs, under Allowed programs and features, scroll down, and then select the Windows Management Instrumentation (WMI) check box.
Click OK.
Close Windows Firewall.
Close Control Panel.
Enable DCOM for CORP\FIMService on FIM1
WMI uses DCOM to communicate with the FIM 2010 R2 server. For this to occur, the FIM Service service account requires access to DCOM on the server running the FIM Synchronization Service.
To enable DCOM for CORP\FIMService on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, click Administrative Tools, and then click Component Services.
On Component Services, expand Component Services, and then expand Computers.
Right-click My Computer, and then click Properties.
On My Computer Properties, click COM Security.
On COM Security, under Access Permissions, click Edit Limits.
On Access Permissions, click Add.
On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
When the service account name resolves successfully, it appears underlined.Click OK.
On Access Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check box for both Local Access and Remote Access.
Click OK.
On COM Security, under Access Permissions, click Edit Default.
On Access Permissions, click Add.
On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
When the service account name resolves successfully, it appears underlined.Click OK.
On Access Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check box for both Local Access and Remote Access.
Click OK.
On COM Security, under Launch and Activation Permissions, click Edit Limits.
On Launch and Activation Permissions, click Add.
On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
When the service account name resolves successfully, it appears underlined.Click OK.
On Launch and Activation Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Click OK.
On COM Security, under Launch and Activation Permissions, click Edit Default.
On Access Permissions, click Add.
On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter CORP\FIMService, and then click Check Name.
When the service account name resolves successfully, it appears underlined.Click OK.
On Launch and Activation Permissions, select FIM Service (FIMService@corp.contoso.com) and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Click OK.
On My Computer Properties, click Apply, and then click OK.
Close Component Services.
Change the default Q&A questions in the workflow
The default questions for the Q&A gate are Question 1, Question 2, and Question 3. These need to be changed to real questions.
To change the default Q&A questions in the workflow
Log on to FIM1.corp.contoso.com as CORP\Administrator.
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Workflows.
Double-click Password Reset AuthN Workflow. This will bring up the Password Reset AuthNWorkflow.
Click Activities.
Click the down arrow next to QA Gate, this will expand the details. Click Edit.
Navigate to Step 2, remove Question 1 from the box and enter: What is your mothers middle name?
Navigate to Step 2, remove Question 2 from the box and enter: What is your fathers middle name?
Navigate to Step 2, remove Question 3 from the box and enter: What was your first pets name?
Click Save. Click OK. Click Submit.
Enable the Required MPRs
By default, FIM has several Management Policy Rules disabled that need to be enabled for SSPR.
To enable the required MPRs
Log on to CLIENT1.corp.contoso.com as CORP\Administrator.
Navigate to the Forefront Identity Manager 201o
On the right, under Administration, click Management Policy Rules.
In the list of MPRs, locate Anonymous uses can reset their passwords and click it. This will open the Configuration page.
Clear the check box next to Policy is disabled.
Click OK, and then click Submit.
Repeat the above steps for each of the following MPRs:
Anonymous users can reset their password
Password reset users set can read password reset objects
Password Reset Users can update the lockout attribute of themselves
User management: Users can read attributes of their own
General: Users can read non-administrative configuration resources
Administration: Administrators can read and update Users
Install the Rich-client on CLIENT1
In this section we will install the rich-client on CLIENT1.
To install the Rich-client on CLIENT1
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 R2 and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 R2 splash screen.
On the splash screen, click Install Add-ins and Extensions, 64 bit. You will see a pop-up that says Do you want to run or save this file? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager 2010 R2 Add-ins and Extensions Setup Wizard.
On the Welcome page, click Next.
On the End User License Agreement page, read the License Agreement, select I accept the terms in the License Agreement, and then click Next.
On the FIM Customer Experience Improvement Program page, select I don’t want to join the program at this time, and then click Next.
On the Custom Setup page, click the drop-down list next to FIM Add-in for Outlook, select Entire feature will be unavailable.
Click Next.
On the Configure FIM Add-ins and Extensions page, in the box next to FIM Service Server address: enter FIM1 and click Next.
On the Configure FIM Add-ins and Extensionspage, in the box below Intranet Registration Portal URL: enter https:passwordregistration.corp.contoso.com and click Next.
Click Install.
Once the installation is complete, click Finish. You will be prompted to restart your system. Click Yes.