Resources for IT Professionals >
Forums Home
>
Identity Management Forums
>
Identity Lifecycle Manager 2
>
Register for password reset / reset password without using ActiveX control
Register for password reset / reset password without using ActiveX control
- I would like to give users the possibility to register for password reset and reset their passwords from a web page that does not use the ActiveX control.
Is it possible to provide password reset answers and reset a user's password using the ILM web service directly, or maybe there is another API that allows this?
Otherwise, has anyone tried implementing a custom QAGate Activity?
Thanks,
Paolo- Edited byPaolo Tedesco Tuesday, July 14, 2009 2:51 PM
- Changed TypeAhmad Abdel-wahedMSFT, OwnerMonday, July 20, 2009 8:58 PMDiscussion of client implementation options with RC0
All Replies
- >>I would like to give users the possibility to register for password reset and reset their passwords from a web page that does not use the ActiveX control.
for the "Not use the ActiveX control" part, you can use "MsPwdRegistration.exe -all" which is auto start during logon (that's how you see the registration welcome screen once user logon)
for the "from a web page that does not use the ActiveX control" part, no, it is not supported OOB. You need to write your own client- Proposed As Answer bynTony Ho Tuesday, July 14, 2009 7:25 PM
- Unproposed As Answer byPaolo Tedesco Wednesday, July 15, 2009 7:53 AM
- The executable is not the same as the ActiveX control, but I cannot use it from a web page as well.
And about "writing my own client", do you know which APIs / calls to the web service should I do in order to set the answers and to reset a user's password?
- well...
if you want AuthN + Password Reset functionality from ILM2, then there is no easy way. Writing your client isn't as simple as that. You have to understand the protocal.
High level:
1. modify the ResetPassword attribute of the user
2. u will get AuthNRequiredFault
3. the fault contains the endpoint address of the STS
4. Talk to the STS, pass the challenge (QA in this case), and get a token with STS
5. resume the request from #1 with the token
6. at this point u will be done with AuthN and u will talk to the PasswordReset activity endpoint...
well, seems like the mission (nearly) impossible - Hi nTony, thanks for your anwer.
What if the user is already authenticated and I just want to register him for password reset, i.e. provide the answers to the questions? - it's pretty much the same steps...
except
#1 becomes modify the AuthWFRegistered attribute of the user
#6 is no needed - I'm interested in this as well. Could someone outline what attributes actually comprise an authorized and registered user? I think building a custom gate activity is really something that sounds interesting. They are just sequential WF activities right?
Thanks,
Josh- Edited byJoshua Toon Thursday, November 05, 2009 10:05 PMwanted to change the notify setting
- Authorized:
the object sid of the kerb ticket is the same as the sid stored in FIM
Registered:
User.AuthNWFRegistered contains the guid of the AuthN WF
The FIM Password Reset Blog http://blogs.technet.com/aho/ - Thanks for the tip on the objectSID in FIM. That wasn't makeing it in there, and I was pulling my hair out trying to get users to be able to use the portal. However, just setting AuthNWFRegistered to the AuthN WF in the users extended attribtues casues winlogon to crash in XP...to blue screen. The credential manager in upper level clients level clients survives though.
It says an error occured while calling SetDisplaySettings errorcode: 3211359 --- just an fyi - It also looks like AuthNLockoutRegistrationID, ResetPassword, RegistrationRequired, and Register all get set.
- You mention on your blog that you have a more detailed doc describing the process...any way I could get that?
- oh, let me clariy that a bit more.
When you asked "Could someone outline what attributes actually comprise an authorized and registered user"
i thought you were asking how to determined if the user is registered or not
it bluescreen because the user hasn't really registered (i.e. u never provide the user with the QA Answers and all that)
Scripting the registration process is NOT supported
A proper way to do that will be, for each user
High level:
1. modify the AuthNWFUserRegister attribute of the user with the AuthNWFGuid
2. u will get AuthNRequiredFault
3. the fault contains the endpoint address of the STS
4. Talk to the STS, pass the challenge (QA in this case), and get a token with STS
5. resume the request from #1 with the token
As the doc, that's really for internal use only (i have clarified my wording on the blog). But then, that only covers a bit more detail between GateFramework and ProxyServer (e.g. how to establish a secure channel) and a bit more detail on the actual implementation
The FIM Password Reset Blog http://blogs.technet.com/aho/ - could you tell me more about the GateFramework? the more I look into it we are going to need to customize the authentication gates...possibly to include checking a hardware device...??
thanks for your very clear answers.
