If you are setting up Password Reset...
I want to know how much time and pain you've spent on creating the Sets and MPRs to enable the "Helpdesk Unlock Scenario" i.e. an user is locked out, the helpdesk guy goes to the portal to unlock the user 1. Are you using helpdesk to unlock the user, if you are using Lockout Gate? 2. How much time did you spent in creating the Sets and MPRs? 3. Were you able to configure it successfully the first time? 4. Was the documentation accurate or confusing? 5. Overall, how would you comment on your experience? 6. If there is no default Sets and MPRs, would you end up with support calls? I will aggregate the data and forward that to the feature team.
October 20th, 2009 2:02am

These are pretty interesting questions.Could someone please hop in?I believe, there is no way for the documentationtobe confusing - right :o)Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2009 12:51pm

I've attempted to setup Self-Service Password Reset using RC0, but never managed to get it working. I'm planning on trying again with RC1.I was able to import Active Directory data into the metaverse, butI was constantly ending up with duplicaterecords (two for each user) once the data was exported into the ILM database. I also had all kinds of funky permission issues with Sharepointeven though I followed the instructions to a T.The whole config process of setting up the Sets and MPRs was tedious and especially painful when it didn't work in the end.The documentation was a bit confusing because ofthe multiple articles plus errata corrections that were required.I realize that ILM is a product that can be used to accomplish a wide range of solutions and isn't designed solely to be used for Self-Service Password Resets, but given the number of third party apps already on the market that are designed to this Ithought Microsoft would have put together a solution that was easier to implement. Ithink a simplerADAM based web application would have been a better way for Microsoft to tackle Self-Service Password Reset.Even though I'm anAdmin and not a DeveloperI'm actually considering building my own web app for password resets instead of banging my head against the wall again with ILM.
October 30th, 2009 7:21pm

Very true. For RC0, it's indeed very hard to setup for SSPR (to create those MPRs, Sets and all that) Try RC1, you will be surprised that it's much easier now (all u need to do is to enable 6 MPRs) In this thread, i am trying to see if we have done enough for RC1 to fix the problem you had
Free Windows Admin Tool Kit Click here and download it now
October 30th, 2009 8:46pm

I have installed RC1 all on a consolidated virtual windows 2008 r2 server in my development domain in order to assess "out of the box" password reset and user provisioning and deprovisioning. Next action is to import active directory. Do I follow Publishing Active Directory Users from Two Authoritative Data Sources Article even though I am not connecting to an HR database? If you can assist in help me narrow exactly what I need to do to connect to my Directory services in Developement domain that would be helpful.Thanks ahead.
January 20th, 2010 7:18am

Hi Anthony,I have followed the instructions to enable helpdesk to manage users. The SSPR is working and I'm able to register and reset my password. I've tested with serveral accounts in my lab. I followed steps H1 to H5. For step H5 it does not specify the target resource definition before request in the instructions (looks like something is missing in the instructions). Leaving this setting blank does not allow you to continue so I assumed this would be the password reset users set. The resource type brought up three selections. I wasn't sure which one to select so just selected the first option. I've manually added an acccount to the helpdesk user set. When I logon to the portal, http://server/identitymanagement there is no administration on my navigation bar nor is there an unlock user option. I get the default page as a regular user. Are there additional steps I'm missing to allow my helpdesk user set to see the administration/unlock user selection? I deliberately locked out an account to see if I could unlock. Unfortunately was not able to find the user with the user account that is in the helpdesk set.Has anyone successfully implemented the helpdesk to manage users?Regards,Nathalie
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2010 10:28pm

notice FIM consists of two parts: FIMService (the window service) and the Portal the Portal just presents u the UI and such... vs the MPR grants you permission to talk to FIMService directly. there are multiple ways to do that 1) ugly, get the url of the Admin unlock page and type the URL into the browser 2) customize the Navigation bar of the portal for Helpdesk User Set basically you want to create a Navbar configuration object (http://server/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=NavigationBarConfiguration&display=Navbar+Configurations) then set the link to ~/IdentityManagement/aspx/authnadmin/AllAuthNUsers.aspx then grant Helpdesk User set read permission on that object To understand how Navbar conf object works Look at the MPR "General: Users can read non-administrative configuration resources", the set definition for "All Basic Configuration Objects" and the "keyword" attribute in the NavBar config object P.S. same thing applies for homepage configuration objectThe FIM Password Reset Blog http://blogs.technet.com/aho/
February 16th, 2010 3:35am

Hi Anthony,I was able to finally setup the helpdesk UI after being sidetracked with other things. Thank you for the reference to the MRP and the keyword useage. That really helped. On the "Introduction to Password reset" docs, the MPR for helpdesk user step H5, is there a missing Target Resource definition before request? Should this be the password reset users set? Also when you enter Resource type for the resource attribute there are several selection for resource type. Does it matter which one is selected?I have added a user manually to the helpdesk user set. Locked out a user from being able to unlock his own account. When logging as the user that I have added manually to the helpdesk user set on the the portal to unlock the user, I'm not able to search for the user. I know he is in the portal (search with another privileded account). What am I missing? I'm probably just missing something simple. I just can't see it.Regards,Nathalie
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2010 7:56pm

It looks like the Password Docs are still confusing and not complete. http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx The UI piece is not mentioned and when you try to test out the scenario, you cannot get the Admin UI. This should be added to the documentation. The Target Resource definition before request should be Password Reset User Set. The 2 Attributes that need to be selected should be from the user class, click browse then from the searchwithin dropdown select user. This will get you to the next steps, I will provide the UI change later since it's not in the docs.Joe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com
May 7th, 2010 8:38pm

For all people interested, I wrote two posts about this topic: One with the necessary corrections to the step H5 in the SSPR deployment guide: http://setspn.blogspot.com/2010/09/fim-sspr-unlock-delegation-procedure.html And one with the necessary configuration steps for the UI: http://setspn.blogspot.com/2010/10/fim-sspr-unlock-delegation-ui.html http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
October 2nd, 2010 2:37pm

For all people interested, I wrote two posts about this topic: One with the necessary corrections to the step H5 in the SSPR deployment guide: http://setspn.blogspot.com/2010/09/fim-sspr-unlock-delegation-procedure.html And one with the necessary configuration steps for the UI: http://setspn.blogspot.com/2010/10/fim-sspr-unlock-delegation-ui.html http://setspn.blogspot.com I have followed this configuration for the Helpdesk UI Perfectly numerous times and still have had no luck with anything appearing in the portal on a client pc with a user in the helpdesk pool.. unfortunately I'm not even sure where to begin to ask whats wrong, but any help you could offer would be super!
January 25th, 2011 3:06pm

For all people interested, I wrote two posts about this topic: One with the necessary corrections to the step H5 in the SSPR deployment guide: http://setspn.blogspot.com/2010/09/fim-sspr-unlock-delegation-procedure.html And one with the necessary configuration steps for the UI: http://setspn.blogspot.com/2010/10/fim-sspr-unlock-delegation-ui.html http://setspn.blogspot.com I have followed this configuration for the Helpdesk UI Perfectly numerous times and still have had no luck with anything appearing in the portal on a client pc with a user in the helpdesk pool.. unfortunately I'm not even sure where to begin to ask whats wrong, but any help you could offer would be super!
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 3:06pm

I think it might be a better idea to start a new topic (Question) and nicely explain what you have done and what the problem is. If you don't see any "customized" UI elements, you probably mixed something up regarding the MPR or Usage Keywords. http://setspn.blogspot.com
January 25th, 2011 3:18pm

I think it might be a better idea to start a new topic (Question) and nicely explain what you have done and what the problem is. If you don't see any "customized" UI elements, you probably mixed something up regarding the MPR or Usage Keywords. http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 3:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics