none
FIM 2010 R2 SP1 Password reset portal not checking Password history of the user

    Question

  • Hi All,

    I have implemented Password reset portal in my test environment. Password reset is working fine but it accepts the old password. FIM password reset not checking Password history of the user.

    Other password policy is working (example: password length check is working)

    Kindly help me.

    My Test environment:

    Server 1:  Roles- Domain controller, Certificate Authority, Exchange [Win 2008 R2 SP1]

    Server 2: FIM Sync, Service, Portal, Password registration & Reset portal. [FIM 2010 R2 SP1]

    1. My password reset portal is not using SSL.
    2. I have imported the root CA certificate in to the trusted certificate list of FIM Sync server.
    3. Domain Controller (Server1) has Domain Controller server Certificate.
    4. My ma name is AD MA
    5. I have created the registry entry : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\PerMAInstance\AD MA]”ADMAEnforcePasswordPolicy”=dword:00000001
    6. I have tested the LDAP over SSL using ldp.exe as mention in the link http://support.microsoft.com/kb/2443871

    Result:

    ld = ldap_sslinit("company.fimcompany.com", 636, 1);

    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

    Error 0 = ldap_connect(hLdap, NULL);

    Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);

    Host supports SSL, SSL cipher strength = 128 bits

    Established connection to company.fimcompany.com.

    Retrieving base DSA information...

    Getting 1 entries:

    Dn: (RootDSE)

    configurationNamingContext: CN=Configuration,DC=fimcompany,DC=com;

    currentTime: 6/20/2013 10:19:48 AM India Standard Time;

    defaultNamingContext: DC=fimcompany,DC=com;

    dnsHostName: Company.fimcompany.com;

    domainControllerFunctionality: 4 = ( WIN2008R2 );

    domainFunctionality: 4 = ( WIN2008R2 );

    dsServiceName: CN=NTDS Settings,CN=COMPANY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fimcompany,DC=com;

    forestFunctionality: 4 = ( WIN2008R2 );

    highestCommittedUSN: 180333;

    isGlobalCatalogReady: TRUE;

    isSynchronized: TRUE;

    ldapServiceName: fimcompany.com:company$@FIMCOMPANY.COM;

    namingContexts (5): DC=fimcompany,DC=com; CN=Configuration,DC=fimcompany,DC=com; CN=Schema,CN=Configuration,DC=fimcompany,DC=com; DC=DomainDnsZones,DC=fimcompany,DC=com; DC=ForestDnsZones,DC=fimcompany,DC=com;

    rootDomainNamingContext: DC=fimcompany,DC=com;

    schemaNamingContext: CN=Schema,CN=Configuration,DC=fimcompany,DC=com;

    serverName: CN=COMPANY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fimcompany,DC=com;

    subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=fimcompany,DC=com;

    supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080;

    supportedControl (29): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS );

    supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange;

    supportedLDAPVersion (2): 3; 2;

    supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;


    Enayathulla.S

    jeudi 20 juin 2013 04:57

Toutes les réponses

  • Hi All,

    I have implemented Password reset portal in my test environment. Password reset is working fine but it accepts the old password. FIM password reset not checking Password history of the user.

    Other password policy is working (example: password length check is working)

    Kindly help me.

    My Test environment:

    Server 1:  Roles- Domain controller, Certificate Authority, Exchange [Win 2008 R2 SP1]

    Server 2: FIM Sync, Service, Portal, Password registration & Reset portal. [FIM 2010 R2 SP1]

    1. My password reset portal is not using SSL.
    2. I have imported the root CA certificate in to the trusted certificate list of FIM Sync server.
    3. Domain Controller (Server1) has Domain Controller server Certificate.
    4. My ma name is AD MA
    5. I have created the registry entry : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\PerMAInstance\AD MA]”ADMAEnforcePasswordPolicy”=dword:00000001
    6. I have tested the LDAP over SSL using ldp.exe as mention in the link http://support.microsoft.com/kb/2443871

    Enayathulla.S

    Hallo, You have all ingredients in place for a succesful implementation. I can think of two things:

    1: The registry key has a type error. In this case the service won't use the desireable reset method. 

    2: The password policy is configured to accept old passwords.


    GH


    • Modifié Guy Horn jeudi 20 juin 2013 10:06 typo
    jeudi 20 juin 2013 10:03
  • Hi

    I can't find a word about setting the Management Agent to use SSL in your list.

    Have you checked to enable SSL for the Connection at the MA?

    Henry

    vendredi 21 juin 2013 05:59
  • Hi Henry/GH,<o:p></o:p>

    I have enabled the SSL in AD MA but still not working. Domain Password policy is enabled, when I try to change the user password with existing password using windows login screen, it checks the password history. <o:p></o:p>

    I have verified my registry entry, no typo error. I am using the Server machine to open the password portal & performing the testing. <o:p></o:p>

    But FIM password portal not checks the password history & min password age.<o:p></o:p>

    Anything I am missing? Kindly help.

    Regards,<o:p></o:p>

    Enayathulla<o:p></o:p>



    Enayathulla.S

    vendredi 21 juin 2013 13:51