locked
MIM SSPR questions RRS feed

  • Question

  • Hi,

    Got a few MIM SSPR related questions:

    • Are the SSPR 'Answers' case-sensitive? (when using the QA Gate)
    • Do we need to deploy PCNS for SSPR? Our SSPR will only involve resetting AD passwords.
    • Does the MIM add-ins & extension client pop-up and ask you to enrol everytime you log on to a workstation or everytime you reboot a workstation? Will it keep prompting you until you enrol?
    • What happens if I enrol and answer 5 questions. Then someone deletes or changes those 5 questions. Will they still appear if I need to reset my password?

    • From what we understand an account can be locked in 2 places: Active Directory and MIM Portal
    • MIM SSPR provides the ability to 'unlock account' - does this feature unlock the account in both AD and MIM Portal?

    Thanks you,

    SK


    • Edited by Shim Kwan Monday, October 17, 2016 11:05 PM
    Monday, October 17, 2016 11:05 PM

All replies

    • Are the SSPR 'Answers' case-sensitive? (when using the QA Gate) No
    • Do we need to deploy PCNS for SSPR? Our SSPR will only involve resetting AD passwords. No PCNS required if you are just resetting AD passwords.
    • Does the MIM add-ins & extension client pop-up and ask you to enrol everytime you log on to a workstation or everytime you reboot a workstation? Will it keep prompting you until you enrol? Every time you log-in, it will keep prompting until you enrol. You can turn this behaviour off with a registry change
    • What happens if I enrol and answer 5 questions. Then someone deletes or changes those 5 questions. Will they still appear if I need to reset my password? When someone does that, the new questions will be presented to the user but it will expect the old answers. If you're changing the questions, tick the "require re-registration" checkbox on the AuthN workflow to clear old answers and prevent confusion

    • From what we understand an account can be locked in 2 places: Active Directory and MIM Portal
    • MIM SSPR provides the ability to 'unlock account' - does this feature unlock the account in both AD and MIM Portal? This would be to unlock the user on the portal workflow, i.e. to allow them to try SSPR again


    • Edited by FIM-EN Wednesday, October 19, 2016 7:36 AM
    • Proposed as answer by Jordan Stelzl Thursday, December 8, 2016 3:35 AM
    Tuesday, October 18, 2016 1:16 PM
  • Thank you, these are great.

    Just one thing that's contradictory to your other post (https://social.technet.microsoft.com/Forums/en-US/86988edb-c03b-486d-8964-db988fa2c518/mim-sspr-account-unlock?forum=ilm2)

    In the other post you talked about unlocking the AD account. In this thread you talk about unlocking the the user on the portal workflow.

    So what does the "Unlock Account" in MIM SSPR client actually do?

    Does it unlock the account in Active Directory or unlock the account in the MIM Portal? or both places?


    • Edited by Shim Kwan Tuesday, October 18, 2016 8:00 PM
    Tuesday, October 18, 2016 8:00 PM
  • The option the user selects when entering their new password (or not as the case may be) after passing your SSPR gates refers to AD.

    If a user needs unlocking in the portal, it's because they've answered the SSPR questions (or failed one time SMS/email code etc.) incorrectly too many times and have been locked out - assuming you have a lockout gate in your AuthN workflow - for them to be able to try again, they need unlocking in the portal. 

    • Proposed as answer by Jordan Stelzl Thursday, December 8, 2016 3:35 AM
    Tuesday, October 18, 2016 8:05 PM
  • Thank FIM-EN, its clear now :)
    Tuesday, October 18, 2016 9:00 PM
  • No problems - Re/point 3 I said you can turn off with a regex change, I meant registry change (edited original post to correct). 
    Wednesday, October 19, 2016 7:35 AM