Self Service Password Reset with Email Link Pattern
Background: Internet-facing web application (partners, not employees - think Extranet)Authentication via Active DirectoryUser has a verified email address in Active Directory Question: Is there a product in the Forefont Suite that can leverage the email address in AD and send the user an email with an expiring URL, then allow the user to change their password after clicking the link?
May 7th, 2012 1:30pm

Yes - you would do this in FIM (you wouldn't need any additional products) You would bring in the last password change date info from AD and set up a time-based MPR that would send an email notification. In that notification you'd have a link to the FIM password management URL's. That's a very 'in-the-box' solution for FIM. If you need further details, let me know..Frank C. Drewes III - Senior Consultant: Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2012 6:04pm

FIM 2010 R2 (which is not yet available) there is an extranet password reset portal which provides OTP for email, when users are registred, not sure if you can skip the Q/A part and only send a OTP via email, here is some more information how to configure this in FIM 2010 R2: http://technet.microsoft.com/en-us/library/hh824697(WS.10).aspx or http://blogs.microsoft.co.il/blogs/patrick/archive/2011/12/06/fim-2010-r2-web-based-sspr-using-otp.aspxNeed realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!
May 8th, 2012 1:42am

I think my "expiring URL" comment was not totally clear. The solution I'm looking for is Self-Service Password Reset on-demand. The process flow would be something like this: User clicks "Reset My Password" on the login page for one of our Extranet web applicationsUser is redirected to the Password Reset appUser is asked to input his/her registered email addressEmail is sent to said address which contains a link back to the Password Reset app, including a one-time use token which would expire after a set period of timeUser clicks link, thus validating they have access to the email account and their identity is validated (no Q&A)Link opens a web page, allowing User to enter new password (and confirm)User's password is changed in Active Directory
Free Windows Admin Tool Kit Click here and download it now
May 8th, 2012 11:01am

Thanks, Paul. This is definitely close to what I need. The problem we have is an international user base. The Q&A pattern totally falls down when users don't have a Driver's Licence or Social Security number. Not to mention the problems with remembering their "favorite" thing from their childhood. We have more support calls because people can't remember the answers to their questions :)
May 8th, 2012 11:07am

Ramsey, Ok, thats clearer now. Yes - that's quite a bit different than the built-in functionality. There *is( extensibility for you to build your own additions- However- It would be a good bit of custom work. I assume youre checking all the options out there? If you can find something that's an exact match, go with that. If not, then its a matter of which product can be used to build your customizations on top of.Frank C. Drewes III - Senior Consultant: Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 8th, 2012 11:34am

It's 99% supported in FIM 2010 R2 except for the point >>3. User is asked to input his/her registered email address To make it work, you have to add the email as user's UPN >>5. User clicks link, thus validating they have access to the email account and their identity is validated (no Q&A) The one-time password is sent via email as just plain text. User need to type that back in the UI basically to add on to Paul's reply, you can take out the QA and just have either OTP-via-SMS or OTP-via-Email
May 9th, 2012 3:38am

Step 3 would have to happen as part of a registration process while they still know their password - before they need to reset it of course. ..and step 5 would be the user clicking the link and then entering their login and OTP Anothony.. what is the expiration of the OTP ? How long will it allow you to use the code ?Frank C. Drewes III - Senior Consultant: Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 10:52am

Step 3, FIM 2010 R2 will feature a bulk registration registration tool (Powershell cmdlets). If you know the email of the user, u can pre-populate that Step 5, i want to mention there is no LINK in the email. the OTP is sent as plain text I forgot the expiration time of the OTP. If i were to guess, it's the lifetime of the activity (of the authN workflow) which you can change directly in the XOMLThe FIM Password Reset Blog http://blogs.technet.com/aho/
May 9th, 2012 1:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics