If you are setting up Password Reset... RRS feed

  • General discussion

  • I want to know how much time and pain you've spent on creating the Sets and MPRs to enable the "Helpdesk Unlock Scenario"

    i.e. an user is locked out, the helpdesk guy goes to the portal to unlock the user


    1. Are you using helpdesk to unlock the user, if you are using Lockout Gate?

    2. How much time did you spent in creating the Sets and MPRs?

    3. Were you able to configure it successfully the first time?

    4. Was the documentation accurate or confusing?

    5. Overall, how would you comment on your experience?

    6. If there is no default Sets and MPRs, would you end up with support calls?


    I will aggregate the data and forward that to the feature team.

    Monday, October 19, 2009 11:02 PM

All replies

  • These are pretty interesting questions.
    Could someone please hop in?

    I believe, there is no way for the documentation to be confusing - right :o) 

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Wednesday, October 21, 2009 9:51 AM
  • I've attempted to setup Self-Service Password Reset using RC0, but never managed to get it working.  I'm planning on trying again with RC1.

    I was able to import Active Directory data into the metaverse, but I was constantly ending up with duplicate records (two for each user) once the data was exported into the ILM database.  I also had all kinds of funky permission issues with Sharepoint even though I followed the instructions to a T.

    The whole config process of setting up the Sets and MPRs was tedious and especially painful when it didn't work in the end.

    The documentation was a bit confusing because of the multiple articles plus errata corrections that were required.

    I realize that ILM is a product that can be used to accomplish a wide range of solutions and isn't designed solely to be used for Self-Service Password Resets, but given the number of third party apps already on the market that are designed to this I thought Microsoft would have put together a solution that was easier to implement.  I think a simpler ADAM based web application would have been a better way for Microsoft to tackle Self-Service Password Reset.

    Even though I'm an Admin and not a Developer I'm actually considering building my own web app for password resets instead of banging my head against the wall again with ILM.
    Friday, October 30, 2009 4:21 PM
  • Very true. For RC0, it's indeed very hard to setup for SSPR (to create those MPRs, Sets and all that)

    Try RC1, you will be surprised that it's much easier now (all u need to do is to enable 6 MPRs)

    In this thread, i am trying to see if we have done enough for RC1 to fix the problem you had
    Friday, October 30, 2009 5:46 PM
  • I have installed RC1 all on a consolidated virtual windows 2008 r2 server in my development domain in order to assess "out of the box" password reset and user provisioning and deprovisioning. Next action is to import active directory.
    Do I follow Publishing Active Directory Users from Two Authoritative Data Sources Article even though I am not connecting to an HR database? If you can assist in help me narrow exactly what I need to do to connect to my Directory services in Developement domain that would be helpful.

    Thanks ahead.

    Wednesday, January 20, 2010 4:18 AM
  • Hi Anthony,

    I have followed the instructions to enable helpdesk to manage users. The SSPR is working and I'm able to register and reset my password. I've tested with serveral accounts in my lab. I followed steps H1 to H5. For step H5 it does not specify the target resource definition before request in the instructions (looks like something is missing in the instructions). Leaving this setting blank does not allow you to continue so I assumed this would be the password reset users set. The resource type brought up three selections. I wasn't sure which one to select so just selected the first option.  I've manually added an acccount to the helpdesk user set. When I logon to the portal, http://server/identitymanagement there is no administration on my navigation bar nor is there an unlock user option. I get the default page as a regular user. Are there additional steps I'm missing to allow my helpdesk user set to see the administration/unlock user selection? I deliberately locked out an account to see if I could unlock. Unfortunately was not able to find the user with the user account that is in the helpdesk set.

    Has anyone successfully implemented the helpdesk to manage users?

    Monday, February 15, 2010 7:28 PM
  • notice FIM consists of two parts: FIMService (the window service) and the Portal
    the Portal just presents u the UI and such... vs the MPR grants you permission to talk to FIMService directly.

    there are multiple ways to do that
    1) ugly, get the url of the Admin unlock page and type the URL into the browser
    2) customize the Navigation bar of the portal for Helpdesk User Set
    1. basically you want to create a Navbar configuration object (http://server/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=NavigationBarConfiguration&display=Navbar+Configurations)
    2. then set the link to ~/IdentityManagement/aspx/authnadmin/AllAuthNUsers.aspx
    3. then grant Helpdesk User set read permission on that object
    To understand how Navbar conf object works
    Look at the MPR "General: Users can read non-administrative configuration resources", the set definition for "All Basic Configuration Objects" and the "keyword" attribute in the NavBar config object

    P.S. same thing applies for homepage configuration object
    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Tuesday, February 16, 2010 12:35 AM
  • Hi Anthony,

    I was able to finally setup the helpdesk UI after being sidetracked with other things. Thank you for the reference to the MRP and the keyword useage. That really helped.

    On the "Introduction to Password reset" docs, the MPR for helpdesk user step H5, is there a missing Target Resource definition before request? Should this be the password reset users set? Also when you enter Resource type for the resource attribute there are several selection for resource type. Does it matter which one is selected?

    I have added a user manually to the helpdesk user set. Locked out a user from being able to unlock his own account. When logging as the user that I have added manually to the helpdesk user set on the the portal to unlock the user, I'm not able to search for the user. I know he is in the portal (search with another privileded account). What am I missing? I'm probably just missing something simple. I just can't see it.


    Wednesday, March 10, 2010 4:56 PM
  • It looks like the Password Docs are still confusing and not complete.


    The UI piece is not mentioned and when you try to test out the scenario, you cannot get the Admin UI.

    This should be added to the documentation.

    The Target Resource definition before request should be Password Reset User Set.

    The 2 Attributes that need to be selected should be from the user class, click browse then from the searchwithin dropdown select user.

    This will get you to the next steps, I will provide the UI change later since it's not in the docs.

    Joe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com
    Friday, May 7, 2010 5:38 PM
  • For all people interested, I wrote two posts about this topic:

    One with the necessary corrections to the step H5 in the SSPR deployment guide: http://setspn.blogspot.com/2010/09/fim-sspr-unlock-delegation-procedure.html

    And one with the necessary configuration steps for the UI: http://setspn.blogspot.com/2010/10/fim-sspr-unlock-delegation-ui.html



    Saturday, October 2, 2010 11:37 AM
  • For all people interested, I wrote two posts about this topic:

    One with the necessary corrections to the step H5 in the SSPR deployment guide: http://setspn.blogspot.com/2010/09/fim-sspr-unlock-delegation-procedure.html

    And one with the necessary configuration steps for the UI: http://setspn.blogspot.com/2010/10/fim-sspr-unlock-delegation-ui.html



    I have followed this configuration for the Helpdesk UI Perfectly numerous times and still have had no luck with anything appearing in the portal on a client pc with a user in the helpdesk pool..  unfortunately I'm not even sure where to begin to ask whats wrong, but any help you could offer would be super!
    Tuesday, January 25, 2011 7:50 PM
  • I think it might be a better idea to start a new topic (Question) and nicely explain what you have done and what the problem is. If you don't see any "customized" UI elements, you probably mixed something up regarding the MPR or Usage Keywords.


    Tuesday, January 25, 2011 8:02 PM