The capability of Self-Service Password Reset in Forefront TMG 2010
-
29. července 2012 4:30
Hi everyone,
We currently have an ASP.NET application running for organization. We also put Forefront TMG 2010 to authenticate users who will access to the ASP.NET application. Because my employees often forget password and they ask my System team to help them reset password. So thus I really want a Self-Service Password Reset in the Forefront TMG 2010 Login page, in order to my employees have the ability to reset their own password themselves. After they reset password, email system will send to them a confirmation email or an email which include their passwords they have changed.
Is there anybody know if Forefront TMG could have the capability? I have heard FIM 2010 has such a capability, but still can't find any documentation covering this capability. I also get understanding of how FIM 2010 helps reset password via this video: http://technet.microsoft.com/en-us/edge/Self-service-password-Reset-with-FIM-demo.aspx but my case is different from this video.
Your ideas are always greatly appreciated.
Regards,
-T.s
Thuan Soldier
SharePoint Vietnam | Blog | Twitter
Všechny reakce
-
29. července 2012 14:01
Hello,
This is not really from TMG side.
You can develop a Web application and publish it using Forefront TMG for such use and add a link to it on your TMG login page.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
29. července 2012 19:13
Will your gateway page be 100% public or require authentication first before the page is displayed to the public end user? If the user's password is expired, temporary, or account locked out, they may not be able to access the gateway / logon page, and not be able to access any sort of self service link. As an added note, typically you would not want to publish a self service password page that resides on a domain member server, for security reasons. Example, the web server hosting the self service website functionality should reside on a non-domain server in a secured DMZ, and not require any domain\admin credentials in the web application itself.
I might suggest looking at Password Reset PRO from www.sysoptools.com - It can sit parallel to your other extranet pages (MOSS, TMG, etc) and provide secure and fully capable password self service, and the web portion can be installed on a non-domain server for added security in the perimeter. You would simply publish a link to the self service page on the TMG logon page, or, if the user is required to authenticate first before the logon page is shown, you would set up IIS to do a custom redirect to the self service page if they fail max logon attempts. Example, instead of getting the typical 403 unauthorized page, your IIS server would automatically redirect to the self service portal page. From there a user can unlock account, change expiring password, change expired password, or change a temp password to a permanent one.
-
1. srpna 2012 3:48Moderátor
Hi,
Thank you for the post.
As far as I know, FIM 2010 RTM doesn't support extranet SSPR", all machines that initiate SSPR must be domain joined and part of the network (DirectAccess or VPN). For more information, you may post this thread in our FIM forum: http://social.technet.microsoft.com/Forums/en/ilm2/threads.
Regards,
Nick Gu - MSFT
-
1. srpna 2012 3:52
Hi Nick Gu,
How about FIM 2010 R2? Can you give me a reason of not supporting extranet SSPR? What do you mean the word "EXTRANET"? I'm one of users in my orgnaization, so I open Password reset web-based portal when I'm in a coffee shop. Does FIM support this case?
Regards,
Thuan Soldier
SharePoint Vietnam | Blog | Twitter -
1. srpna 2012 4:20Moderátor
Hi Thuan Soldier,
You may refer to this deployment guide to configure SSPR: http://www.microsoft.com/en-us/download/details.aspx?id=29959.
Regards,
Nick Gu - MSFT
- Navržen jako odpověď Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 6. srpna 2012 1:58
- Označen jako odpověď Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 7. srpna 2012 7:06
-
1. srpna 2012 4:46
Hi Nick Gu,
Thanks for your support.
I have read it and it does support Password Reset to be published on the Internet.
"In fact, the FIM Service, the Synchronization Service and their two databases may actually all be on separate servers. From a security stand point this is a better solution in that, if you are going to have the password registration and password reset portals externally facing and sitting on the internet, you would not want to expose your FIM Service and Synchronization Service, or their databases to the internet."
-T.s
Thuan Soldier
SharePoint Vietnam | Blog | Twitter -
3. srpna 2012 2:42Moderátor
Hi Thuan Soldier,
Thank you for the update.
As I am not familiar with FIM, and if you are interesting in SSPR feature, you may turn to FIM forum for help.
Regards,
Nick Gu - MSFT
.png)
