Options
Search
  • Advanced search options...
Tags
Archive
Archives

Forefront Identity Manager - Credential Management, Part 4

TechNet Blogs > Anthony Ho > Forefront Identity Manager - Credential Management, Part 4

Forefront Identity Manager - Credential Management, Part 4

8 Nov 2009 10:27 PM
  • Comments 20

This post talks about how client interacts with the server during the course of Self-Service Password Reset Registration and Reset. Majority of the information can be found from either client-side or server-side log. The implementation is subjected to change. If you were to develop a custom SSPR client based on the information below, please make sure what you do is supported.

Deep Dive into Self-Service Password Reset

Components and terminologies:

  • Gate Framework (GF), client side unmanaged component. It handles the UI of varies gates and the password reset screen.
  • PasswordProxy (Proxy), aka FIMPasswordReset, client side managed component. It acts as a proxy between Gate Framework and FIM Service.
  • FIM Service
  • Secure Token Service (STS), a component of FIM Service that issues tokens

Communication channels used:

  • Between Gate Framework (GF) and PasswordProxy uses namepipe because GF is native and PasswordProxy is managed.
  • Between PasswordProxy and FIMService/STS uses WCF.
  • Between FIMService and FIMSynchronizationService uses WMI.

Registration Sequence

  1. C:\Windows\System32\MsPwdRegistration.exe auto starts when user logon.
  2. It performs some housekeeping routines and call into GF to initiate the registration sequence.
  3. GF establishes a secured name pipe to Proxy.
  4. Proxy will then
    1. Lookup the user guid: /Person[Domain='...' and Account='...']
    2. Lookup all possible AuthN WFs that can be used by the user for SSPR
      /MPR[Disabled=false && (PrincipalSet=Anonymous && ResourceCurrentSet=/Set[ComputedMember='user guid']) && ActionType='Modify' && ActionParameter='ResetPassword']/AuthenticationWorkflowDefinition
    3. For each AuthN WF, determine if the user:
      1. Has registered or not (User.AuthNWFRegistered attribute).
      2. Is locked out or not (User.AuthNWFLockedout attribute).
    4. Return to GF with one of the value:
      1. Registration required, when one or more AuthN WFs is not registered.
      2. LockedOut, when user is locked out of one or more AuthN WFs.
      3. Registration Optional otherwise.
  5. If the return value is not Registration Optional, GF will display the Registration Welcome Screen.
  6. To register, Proxy sends a Put request to add the AuthN WF Guid to User.AuthNWFRegistered.
  7. This request will trigger the AuthN WF "System Workflow Required for Registration" caused by MPR "General workflow: Registration initiation for authentication activity" and Proxy will receive an AuthNRequiredFault.
  8. The AuthN fault contains the endpoint address of STS that the client needs to talk to to obtain a token.
  9. Proxy then relays message between GF and STS. STS will send a list of challenges (e.g. Q&A) and GF will display the questions and reply back with the answers that user inputs, etc etc.
  10. At the end of the challenge-response sequence with the STS, STS will issue a token indicating the User has passed the AuthN WF.
  11. Proxy then resumes the original request with the STS token.
  12. After that, the request goes through the normal AuthZ, Commit and Action phases.

Reset Sequence

  1. User clicks on the "Reset Password" link on the logon screen.
  2. Gina/Credential Provider calls into GF to initiate the reset sequence.
  3. GF establishes a secure channel with Proxy.
  4. Proxy sends a Put request which Modify User.ResetPassword attribute.
  5. This request will trigger the AuthN WF "Password Reset AuthN Workflow" caused by MPR "Anonymous users can reset their password" and Proxy will receive an AuthNRequiredFault.
  6. Proxy then obtains a STS token and resumes the request just like during registration.
  7. The request goes through the normal AuthZ, Commit and Action phases.
  8. During Action phase, it will kick off Action WF "Password Reset Action Workflow".
  9. This workflow will listen on an endpoint awaiting user to input their new password.
  10. Once the Password Reset Action Workflow receives the new password, it will, under the FIMService service account context, make a WMI call to the FIMSynchronizationService to perform a SetPassword.
  11. FIMSynchronizationService, under the AD MA account context, will talk to the primary domain controller (PDC) to reset the user password.

That's it. Feel free to leave me a message if you need clarification.

, ,
Comments
  • 12 Nov 2009 11:00 AM

    Your Blog is fantastic Anthony.

    Awesome to see some more detail of how everything works under the hood, sure it will help everyone sort out minor quirks.

  • 21 Nov 2009 2:50 AM
  • Rodney Pieper
    12 Apr 2010 11:38 AM

    What is the capability to configure the Password reset to resist BruteForce exploit? Can teh period between attempts be extended after a given number of attempts, or can the process be locked after a number of failures?

  • 12 Apr 2010 12:11 PM

    You can use Lockout Gate described in my Part 2

    http://blogs.technet.com/aho/archive/2009/10/04/forefront-identity-manager-credential-management-part-2.aspx

  • Martin
    25 Mar 2011 5:49 AM

    Anthony,

    if I use the PW Reset portal for resetting the PW, what does this add to the scenario you describe?

  • 25 Mar 2011 10:22 AM

    the reset sequence will become

    Reset Sequence

      1. User clicks on the "Reset Password" link on the password portal

      2. The portal invoke an ActiveX which instantiates GF

      3. GF establishes a secure channel with Proxy.

    Rest is the same

  • Cameron
    7 Apr 2011 4:41 PM

    Anthony,

    Is there a way of forcing the registration of answers - ie making the registration screen un-cancellable?

  • 7 Apr 2011 5:36 PM

    No, we intentionally did not implement this feature. Image a VP is preparing a demo/presentation for the next billion-dollar contract. Forcing him to register is a no-go. If you have business justification for that, feel free to communicate that with MS Product Support Service. We take feedback seriously :)

  • Cameron
    18 Apr 2011 9:17 PM

    Hi Anthony,

    Is there a supported way of 'injecting' answers in to the system based on user attributes (ie employee number) rather than having to ask the users to fill out answers?

    I found this - but this is a custom workflow etc blog.aesthetixsoftware.com/.../how-to-bulk-register-users-for-password-reset-in-fim and perhaps not supported by Microsoft?

  • 18 Apr 2011 9:23 PM

    That might work but It is not currently supported. Please contact Microsoft Product Support Service (PSS) with your scenarios and business justifications. We would love to hear from you.

  • Cameron
    12 May 2011 11:19 PM

    Hi Anthony, are there any command line switches on MsPwdRegistration.exe? Say to provide a boolean whether or not a user acct has registered? Or alternatively a registry key that is set on a successful registration?

    Looking to do a login script entry that disables if that user has registered. I appreciate it could be done by sets populating groups, but that could get messy longer term.

  • 12 May 2011 11:23 PM

    Hi Cameron, would you like to elaborate a bit on what you are trying to achieve. It's unclear to me what you meant by "a login script entry that disables if that user has registered". What's your ultimate goal?

  • Cameron
    15 May 2011 3:14 PM

    Hi Anthony,

    The FIM client asks for your password etc, and is not branded as per our organisation. AFAIK - it can't be branded differently in this release. This has caused some within our org to raise concerns that some of our users might think it is spyware etc.

    As such, we are going to trigger a web page to run in the login script before the SSPR registration runs that will explain the process and show screenshots etc. This only needs to run up until the user has registered - hence the question about disabling that part running based around a registry key or a returned value.

  • 15 May 2011 3:27 PM

    Hi, the registration is triggered by MsPwdRegistration.exe. One way to achieve that is for you to:

    1. disable MsPwdRegistration.exe in startup

    2. in your web, check if the user is registered or not via webservice

    3. if not, prompt the user for registration via MsPwdRegistration.exe

    There are some work we are doing which I can't discuss. However, I would strongly encourage you to contact PSS and tell us your need and business justification for having a custom branding in the rich client. Having more feedback from customers allow us to prioritize our work according to customer needs.

  • Alex O
    26 May 2011 5:05 PM

    Hi Anthony,

    Thanks a lot for all in info you provided. Could you please let me know, if there any way to customize the look and feel of the Registration and password Reset screens/dialogs in the FIM password reset client? Such as having the company logo or some sort of disclaimer/warning, etc.

    Thanks

Page 1 of 2 (20 items) 12
Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post