none
Account mgmt for PC off the network? RRS feed

  • Question

  • I am currently looking at implementing FIM in an enterprise environment.  I am specifically looking at the password management piece.  We have numerous mobile users who rarely connect to the corporate network.  I am curious what capabilities FIM has for managing passwords and accounts for users who are not connected to the corporate network.  For example, I recently read that Hitachi's Password Manager comes with an installer that will launch a GUI to connect to available wi-fi networks and then launch a temp VPN session before the Windows login back to your corporate network.  It will then logon with a localadmin account that the password manager software previously created and launch a kiosk mode browser to the self service web portal.  At the web portal, the user can answer security questions to reset their network password and unlock their account.  Once the network password has been reset, an ActiveX control is launched and updates the locally cached password.

    Does FIM have any capability like this?  Or would a pre-login VPN and local admin account have to be manually scripted with the credential provider that FIM provides?  Any information is appreciated. 

    Friday, May 2, 2014 9:38 PM

All replies

  • Hey Wf88,

    FIM requires network connectivity in order to use the password reset service. You have many options that you can implement:

    1) Network connected, domain joined machines can use the login extension to perform password reset.

    2) Disconnected and non-domain joined machines can use the external password reset site. The site can be published using a reverse proxy or a publishing gateway. The service can be configured with incremental gates to add to the level of assurance for external resets. E.g - if you internal to the network you get 3 questions and have to get 2 right, but if you are external you need to answer the first set, then 3 more of your registered answer and finally SMS or secondary email one time pin.

    FIM does not support the just in time VPN explained above. If you wish to use something like this, you can implement this yourself or create a custom client for self-service password reset that utilises the FIM API.

    HTH


    Almero Steyn (http://www.puttyq.com) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

    Saturday, May 3, 2014 1:53 PM
  • Almero,

        thank you for the information.  Regarding your # 1 statement --

    1) How will a users network password be updated if I reset the locally cached password with the credential provider?  I am guessing since the machine is joined to the domain with network connectivity that it will automatically update the network password.  I would be worried that users would reset the password via the credential provider, log in, and then have trouble when opening Outlook, sharepoint intranet, etc.  Wouldn't those network components still be looking at the old password?

    Monday, May 5, 2014 1:36 PM
  • Hey

    Not sure I follow. The FIM password reset client (locally installed client) can not be used to change the password if the user is not on the network and domain joined. Thus this component cannot change the password while the user is remote.

    Changing the local password on the windows machine while disconnected is a AD thing that you also cannot do. To change the domain password you need to change it in the domain itself (while connected or through a tool in the domain DSA.msc etc). Only one changed, when the user logs on with the new password is the local cache password updated on the local machine.

    Hope this helps


    Almero Steyn (http://www.puttyq.com) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

    Thursday, June 12, 2014 7:06 AM
  • Some time ago I have been asked for similar thing - customer wanted to be able to tell remote users local admin password in case they would forget their own without network connectivity (assuming that they have phone connectivity). The only Idea was to use GPO to create local admin account with password known by Domain Admin and, if such user wants it - give the password to him. Right after such password was given to remote user, Admin changed it in GPO to new one, so when computer got connected, remote user could use computer on this account only when session was still up - When session ended, he had to reset his password (but he was back online, so he could).

    Not the smartest idea, but worked in this case (especially with users travelling around the globe wiht satellite phones and no internet access).

    But there is no way to reset password in domain being offline. Password reset client tries to connect to FIMService, which (through FIMSync) resets password in domain. So without connectivity between those (computer->FIMService->FIMSync->Domain Controller) you are unable to change domain password using FIM.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, June 13, 2014 6:43 AM