Takeaways: FIM self-service password reset

Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction

Key Asks from TechEd 2011

Broader user reach Meet organizational security requirements
Broader browser support Mobile device support

Enhanced knowledge-based authentication SMS authentication Email authentication Portal customization Programmatic registration Streamlined deployment

Improved user experience

FIM 2010 R2 Password Reset Components

Example Topology
End User

Browser Mobile Phone

Reverse Proxy

FIM Password Reset Portal FIM Password Registration Portal

End User Browser Windows FIM Password Reset Extensions (optional)

FIM Service

FIM Sync Service

Active Directory

FIM Admin

Email provider (optional) SMS Provider (optional)

Other Directories (optional)

Installation of FIM Password Portals

Choose to install Password Portals

Installation of FIM Password Portals

Specify whether host is extranet accessible

Installation of FIM Password Portals

Specify AD user account for Portal

Installation of FIM Password Portals

Password Portals visible in IIS Manager

Post installation configuration

Configure SSL

Ensure appropriate Kerberos configuration

http://setspn.blogspot.com/search/label/Kerberos http:/social.technet.microsoft.com/wiki/contents/articles/3385.aspx http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-forkerberos-authentication-with-iis-7-0.aspx http://support.microsoft.com/kb/929650

Proxy configuration (if Internet-facing)

Localization
Password Reset & Registration Portals, FIM Password Reset Extensions
33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian

FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish

First, deploy the R2 Server components

Existing SSPR scenarios will continue to work

Then, deploy the R2 client

R2 client requires the password registration portal

Optionally:
Modify workflow configuration to use new & improved gates

Gate QA Gate

Reach All users

Secured by User knowledge Access to mobile phone

Considerations

Usability of questions with sufficient security OTP SMS Gate Users with SMSRequires contract & capable mobile integration with SMS phones service provider OTP Email Gate Users with email Access to email Compliance with accounts not secured account organizational security by organizational policies password

User Experience User enters mobile phone number and/or email address User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience User sees mobile phone number and/or email address, but cannot edit it inline

How to Achieve this Experience Configure gate to be Read-Write (default) Configure gate to be Read-Write Set value of users OTPMobilePhone and/or OTP EmailAddress (e.g., via workflow, PowerShell) Configure gate to be Read Only Set value of users OTPMobilePhone and/or OTP EmailAddress (e.g., via sync)

Purpose Required Parameters

Gets template for an authentication workflow AuthenticationWorkflowName

Purpose Required Parameters

Registers one user for one authentication workflow UserName, AuthenticationWorkflowName

Purpose Required Parameters

Unregisters one user from one authentication workflow UserName, AuthenticationWorkflowName

Purpose Required Parameters

Returns true if the specified user is registered for the specified workflow, otherwise returns false UserName, AuthenticationWorkflowName

Migration to FIM Password Reset

Scenario
Goal Approach

Migrate to FIM Password Reset without requiring registered users to re-register

Register existing users for FIM Password Reset using without user interaction Write a script to read data from existing solution, and use this data to register users for FIM Password reset

Automate user registration for FIM Password Reset

Scenario
Goal Approach

Organization has existing business process that collects all data needed for password reset
Register existing and new users for FIM Password Reset without user interaction Existing users: Write a script to get data from target system, and use this data to register users for FIM Password resets New/modified users: Script or code to invoke the cmdlet when user is created or has new data

Automated deregistration Scenario Goal Approach Organization wants users to periodically re-register for FIM Password Reset Cause users to be prompted for re-registration on a defined schedule Implement a process to identify users who are targeted for reregistration Write a script to deregister targeted users Schedule periodic execution of that script

Higher bar for extranet reset requests

Approach
New property for an authentication gate Security Context Administrator can optionally configure an workflow so that one or more gates apply only to requests from extranet

Example:
QA Gate applies to all requests OTP SMS Gate applies only to requests from the extranet

Higher bar for extranet reset requests

How it works
Setup Admin designates FIM Password Portals as being intranet or extranet facing Admin designates identities for IIS app pools used by FIM Password Portals, which are well known to the FIM Service

User Request to FIM Password Portals include optional Register or Reset SecurityContext property in SOAP header: Extranet Password or NoneSpecified FIM Service stamps value on the Security Context property of the request in the FIM Service Authentication workflow: Extranet-only gates execute only for requests from the extranet

Number of questions

in the gate shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users

Whether email address during registration is editable by user

Length of one-time password Email template for sending the one-time password

One-Time Password SMS Gate

Whether mobile phone is editable by user

Length of one-time password SMS text message that contains the security code

One-Time Password SMS Gate

Windows Server FIM Service

FIM OTP SMS Gate

SMS Provider DLL

SMS Provider

Users Cellular Service Provider

Users Cellphone

Typical steps include: Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location

One-Time Password SMS Gate: API

public void SendSms( string mobileNumber, string message, Guid requestId, Dictionary<string, object> deliveryAttributes )

http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx

SSPR Portal Customization

Requirements
Enable admin to customize portal for their environment Account for global user populations Preserve good experience on upgrade

Approach
Admin can define overrides to default portal user experience elements

Scope
Banner graphics User interface text Theme: font, color, layout

http://technet.microsoft.com/en-us/library/jj134297(v=ws.10)

<?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root>

http://technet.microsoft.com

In Review
Area End User Interface Authentication Challenges Customization FIM 2010 FIM 2010 R2 Windows Windows desktop logon (reset only) desktop login Web portal supporting multiple browsers QA gate Different questions QA gate with configurable constraints Authentication via SMS, email Different questions, different gates Higher bar for extranet-based requests Configurable UI for the SSPR portal

Reporting

FIM Portal (recent requests)

FIM Portal (recent requests) FIM Reporting Database (historical changes)

Takeaways: FIM self-service password reset

Reduces helpdesk costs
Self-service password reset fewer calls to helpdesk

Improves compliance outcomes

Automated process enforces compliance Easier and less expensive to prove compliance

Increases user productivity and satisfaction

Self-service faster service, no involvement of other people

#TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate Hands-On Labs

microsoft.com/windowsserver

DOWNLOAD Windows Azure

Windowsazure.com/ teched

http://northamerica.msteched.com

www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn