Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction.
Download ReportTranscript Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction.
Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction Key Asks from TechEd 2011 Broader user reach Broader browser support Mobile device support Meet organizational security requirements Enhanced knowledge-based authentication SMS authentication Email authentication Improved user experience Portal customization Programmatic registration Streamlined deployment FIM 2010 R2 Password Reset Components Example Topology End User Browser Mobile Phone Reverse Proxy FIM Password Reset Portal FIM Service FIM Password Registration Portal End User Browser FIM Admin FIM Sync Service Active Directory Windows FIM Password Reset Extensions (optional) Email provider (optional) SMS Provider (optional) Other Directories (optional) Installation of FIM Password Portals Choose to install Password Portals Installation of FIM Password Portals Specify whether host is extranet accessible Installation of FIM Password Portals Specify AD user account for Portal Installation of FIM Password Portals Password Portals visible in IIS Manager Post installation configuration Configure SSL Ensure appropriate Kerberos configuration http://setspn.blogspot.com/search/label/Kerberos http:/social.technet.microsoft.com/wiki/contents/articles/3385.aspx http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-forkerberos-authentication-with-iis-7-0.aspx http://support.microsoft.com/kb/929650 Proxy configuration (if Internet-facing) Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish First, deploy the R2 Server components Existing SSPR scenarios will continue to work Then, deploy the R2 client R2 client requires the password registration portal Optionally: Modify workflow configuration to use new & improved gates Gate QA Gate Reach All users Secured by User knowledge Access to mobile phone Considerations Usability of questions with sufficient security OTP SMS Gate Users with SMSRequires contract & capable mobile integration with SMS phones service provider OTP Email Gate Users with email Access to email Compliance with accounts not secured account organizational security by organizational policies password User Experience How to Achieve this Experience User enters mobile phone number and/or email address • Configure gate to be “Read-Write” (default) User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience • Configure gate to be “Read-Write” • Set value of users’ OTPMobilePhone and/or OTP EmailAddress (e.g., via workflow, PowerShell) User sees mobile phone number and/or email address, but cannot edit it inline • Configure gate to be “Read Only” • Set value of users’ OTPMobilePhone and/or OTP EmailAddress (e.g., via sync) Purpose Gets template for an authentication workflow Required Parameters AuthenticationWorkflowName Purpose Registers one user for one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Unregisters one user from one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false Required Parameters UserName, AuthenticationWorkflowName Migration to FIM Password Reset Scenario Migrate to FIM Password Reset without requiring registered users to re-register Goal Register existing users for FIM Password Reset using without user interaction Approach Write a script to read data from existing solution, and use this data to register users for FIM Password reset Automate user registration for FIM Password Reset Scenario Organization has existing business process that collects all data needed for password reset Goal Register existing and new users for FIM Password Reset without user interaction Approach Existing users: • Write a script to get data from target system, and use this data to register users for FIM Password resets New/modified users: • Script or code to invoke the cmdlet when user is created or has new data Automated deregistration Scenario Organization wants users to periodically re-register for FIM Password Reset Goal Cause users to be prompted for re-registration on a defined schedule Approach Implement a process to identify users who are targeted for reregistration Write a script to deregister targeted users Schedule periodic execution of that script Higher bar for extranet reset requests Approach New property for an authentication gate “Security Context” Administrator can optionally configure an workflow so that one or more gates apply only to requests from extranet Example: QA Gate applies to all requests OTP SMS Gate applies only to requests from the extranet Higher bar for extranet reset requests How it works Setup • Admin designates FIM Password Portals as being intranet or extranet facing • Admin designates identities for IIS app pools used by FIM Password Portals, which are well known to the FIM Service User Request to • FIM Password Portals include optional Register or Reset SecurityContext property in SOAP header: “Extranet” Password or “NoneSpecified” • FIM Service stamps value on the Security Context property of the request in the FIM Service • Authentication workflow: Extranet-only gates execute only for requests from the extranet Number of questions • • • • in the gate shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users Whether email address during registration is editable by user Length of one-time password Email template for sending the one-time password One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code One-Time Password SMS Gate Windows Server FIM Service FIM OTP SMS Gate SMS Provider DLL SMS Provider User’s Cellular Service Provider User’s Cellphone Typical steps include: Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location One-Time Password SMS Gate: API public void SendSms( string mobileNumber, string message, Guid requestId, Dictionary<string, object> deliveryAttributes ) http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx SSPR Portal Customization Requirements Enable admin to customize portal for their environment Account for global user populations Preserve good experience on upgrade Approach Admin can define overrides to default portal user experience elements Scope Banner graphics User interface text Theme: font, color, layout http://technet.microsoft.com/en-us/library/jj134297(v=ws.10) <?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root> http://technet.microsoft.com In Review Area End User Interface FIM 2010 FIM 2010 R2 • Windows • Windows desktop logon (reset only) desktop login • Web portal supporting multiple browsers Authentication Challenges • QA gate • QA gate with configurable constraints • Authentication via SMS, email Customization • Different questions Reporting • FIM Portal (recent requests) • • • • • Different questions, different gates Higher bar for extranet-based requests Configurable UI for the SSPR portal FIM Portal (recent requests) FIM Reporting Database (historical changes) Takeaways: FIM self-service password reset Reduces helpdesk costs Self-service password reset fewer calls to helpdesk Improves compliance outcomes Automated process enforces compliance Easier and less expensive to prove compliance Increases user productivity and satisfaction Self-service faster service, no involvement of other people #TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate Hands-On Labs microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched http://northamerica.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn