Copyright and Trademarks

Similar documents
Installation Guide. . All right reserved. For more information about Specops Password Policy and other Specops products, visit

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Troubleshooting Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Installation Guide. . All right reserved. For more information about Specops Command and other Specops products, visit

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

Specops Password Reset

Specops Password Policy

VMware Identity Manager Administration

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Installing and Configuring vcloud Connector

20411D D Enayat Meer

Configuring Remote Access using the RDS Gateway

Privileged Access Agent on a Remote Desktop Services Gateway

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

Cloud Access Manager Configuration Guide

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Setting Up Resources in VMware Identity Manager

INSTALLATION GUIDE Spring 2017

How does it look like?

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VII. Corente Services SSL Client

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

ANIXIS Password Reset

Managing Certificates

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

App Orchestration 2.6

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

DigitalPersona Pro Enterprise

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Installation on Windows Server 2008

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Chime for Lync High Availability Setup

SCCM Plug-in User Guide. Version 3.0

ForeScout CounterACT. Configuration Guide. Version 4.3

Exam Questions

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Version Installation Guide. 1 Bocada Installation Guide

Self-Service Password Reset

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

Privileged Identity App Launcher and Session Recording

VMware AirWatch Certificate Authentication for EAS with ADCS

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Installing and Configuring vcloud Connector

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Ansible Tower Quick Setup Guide

NETWRIX PASSWORD EXPIRATION NOTIFIER

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

SafeConsole On-Prem Install Guide

ControlPoint. Advanced Installation Guide. September 07,

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

SafeConsole On-Prem Install Guide

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

HySecure Quick Start Guide. HySecure 5.0

INUVIKA TECHNICAL GUIDE

SolarWinds. Patch Manager. Evaluation Guide. Version 2.1.2

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

A guide to configure agents for log collection in Log360

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

KYOCERA Net Admin User Guide

Dameware ADMINISTRATOR GUIDE. Version Last Updated: October 18, 2017

Forescout. Configuration Guide. Version 4.4

XIA Automation Server

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Status Web Evaluator s Guide Software Pursuits, Inc.

Exchange Pro 4.4. User Guide. March 2017

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Secure Web Appliance. SSL Intercept

Best Practices for Security Certificates w/ Connect

How Do I Manage Active Directory

Enabling Smart Card Logon for Linux Using Centrify Suite

akkadian Global Directory 3.0 System Administration Guide

Parallels Mac Management for Microsoft SCCM

VMware App Volumes Installation Guide. VMware App Volumes 2.13

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

10ZiG Manager Cloud Setup Guide

70-742: Identity in Windows Server Course Overview

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

ZL UA Exchange 2013 Archiving Configuration Guide

FieldView. Management Suite

SAML-Based SSO Configuration

Security Provider Integration LDAP Server

Installing and Configuring vcenter Multi-Hypervisor Manager

Integrating AirWatch and VMware Identity Manager

ForeScout Extended Module for VMware AirWatch MDM


Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Transcription:

Copyright and Trademarks Specops Password Reset is a trademark owned by Specops Software. All other trademarks used and mentioned in this document belong to their respective owners. 2

Contents Key Components 6 Requirements 7 Installing Specops Password Reset 8 Installing the Specops Password Reset Server 9 Installing the Specops Password Reset Web 11 Install the Administration Tools 14 Install the Specops Password Client 15 Post-Installation Configuration 17 Import your license key 18 Verify that your domain is configured for use with Specops Password Reset 19 Enabling authentication to the Password Reset Web Server 20 Add members to the Specops Password Reset local security groups 24 Install additional web servers you might want to use for external access 26 If using Secret Question Authentication, ensure that users enroll in the systems 27 Verify that the Specops ureset Client is installed on your client machines 28 Verify security settings for administrative accounts 29 Configure access to Active Directory Fine-Grained Password Policies 30 Configure your environment for use with the Mobile Access Web Service 31 Appendix 1: Installing the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store 33 3

Install the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store 33 Deploy the Self-Signed certificate using Group Policy Objects. 33 4

About Specops Password Reset Specops Password Reset is a self-service solution that enables end users to address the most common tasks related to password management including forgotten passwords, locked out Active Directory accounts and password resets and changes. Specops Password Reset is a component of the Specops Password Management suite. Specops Password Management takes a holistic approach to password management that increases security, cuts costs, and extends the reach of password-based security. You can learn more about the Specops Password Management solution and other Specops Password related products at www.specopssoft.com/products/specops-password-management. 5

Key components Specops Password Reset consists of the following components and does not require any additional servers or resources in your environment. The architectural overview above shows the communication between the components in a typical installation. Note that the Password Reset Server and Password Reset Web components are typically installed on the same server inside the network. Server: Manages all operations against Active Directory, such as changing/resetting passwords, and responds to requests from the Specops Password Web application. Administration Tools: Used to configure the central aspects of the solution and enable the creation of Specops Password Reset settings in Group Policy Objects. Web: Displays the end user interface of the product and communicates with the Specops Password Reset server to verify user input. Specops Password Client: The Specops Password Client presents a link to the Specops Password Reset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements. 6

Requirements Your organization s environment must meet the following system requirements: Item Requirement Server Windows Server 2008 or later Windows Identity Foundation installed Administration Tools Windows 7 or later Active Directory and Computers snap-in Group Policy Management Console (GPMC).Net Framework 3.5 or later Web Windows Server 2008 or later IIS installed Trusted SSL certificate for all names the web application will be presented as Specops Password Client Windows 7 or later.net Framework 3.5 SP1 or later The Specops Setup Assistant will help you meet the system requirements. 7

Installing Specops Password Reset During installation, Specops Password Reset will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Reset: Server Administrations Tools Web Specops Password Client 1. Download the Setup Assistant. 2. Save and Run the Setup Assistant on your server. Note: By default, the file is extracted to C:\temp\SpecopsPasswordReset_Setup_[VersionNumber] 3. Double click SpecopsPasswordReset.Setup.exe to launch the Setup Assistant. 4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement. 8

Installing the Specops Password Reset Server The Specops Password Reset Server performs operations against Active Directory and responds to requests from the Specops Password Web application. 1. From the Setup Assistant, select Server. 2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following: a. Verify that you are running a valid operating system. b. Windows Identity Foundation is installed. c. Verify that the account being used to run the Setup Assistant has local administrative permissions. 3. Click Select user. 4. Enter the Username and Password of the user account the service will run as, and click OK. Note: All operations performed by the Specops Password Reset Server component will be performed in the context of the service account selected here. 5. Click Select to identify the management level where the Active Directory permissions are created. This is also used to track license usage. 6. To select the certificate that will be used to secure calls to the Specops Password Reset service, click Select. Note: The name of the certificate must match the Fully Qualified Domain Name (FQDN) of the password reset server. The FQDN of the certificate can be created by your internal CA, purchased from a third party provider, or from the Specops Setup Assistance Create Self-signed Certificate. A wildcard or SSL certificate with an alias or different name may not be used. If you are using a self-signed certificate, you will need to install the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store. See Appendix 1 for more information. 7. Click Configure to configure the administrator notifications used to send email to the administrator with notifications regarding the Specops Password Reset License. 8. In the Email Settings field, enter the SMTP Server Name. 9. Enter the SMTP Username and SMTP Password. Note: If no credentials are specified, the server will authenticate as the service account it is running as. 10. Click OK. 9

11. Click Configure to configure the settings for the mobile verification message. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk. 12. In the From email text field, enter the email address that will be used to send the validation message. 13. Configure the To email, Subject, and Body settings according to the specifications of your SMS provider. 14. From the Insert placeholder code drop box you can select the information that will be different for each user. 15. Click OK. 16. Click Install. 10

Installing the Specops Password Reset Web The Specops Password Reset web component presents the end user interface of the product and communicates with the Specops Password Reset server to verify user input. During installation, you will be given the option to include the Specops Password Reset Web Service (Mobile Access). The Mobile Access component is used to enable the Specops Password Reset mobile device application to connect to the Specops Password Reset Server. The Specops Password Web installation will also install the Specops Password Reset Web Customization tool which can be used to manage language translations and graphical branding of the website. 1. From the Setup Assistant, select Web. 2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following: a. Verify that you are running a valid operating system. b. Verify that the account being used to run the Setup Assistant has local administrative permissions. c. Verify that IIS is installed. d. Configure IIS for Specops Password Reset. 3. Click Select to select which Specops Password Reset Server service you want the web component to connect to. 4. Enter the name of the server and click OK. 5. Click Select to identify the website where the Specops Password Reset Web will be installed. Note: If there is more than one website running on your IIS you may select which one you wish to use for the Specops Password Reset Web Component. If the Web component is installed on a server in the internal network, and you want to direct your internal password clients to use the web server you are installing, the Update the Service Connect Point information during installation should remain checked. 6. Click OK. 7. Click Select to select the certificate you wish to use for the SSL encryption, and click OK. 8. Click Install. Note: The Specops Password Reset Web Setup Wizard will appear. The Wizard will allow you to install the mobile component. 9. In the Specops Password Reset Web Setup Wizard, click Next. 10. Read and accept the license agreement, and click Next. 11. Select the drop-box next to Password Reset Web Service (Mobile Access), and click Will be installed on local hard drive. 12. Click Next. 11

13. Click Install. Install the web component in DMZ (if applicable) 1. Verify you have.net 3.5 SP1 installed on the DMZ server. 2. Do not select Update the Service Connection Point information during installation. Note: This option will not be visible if the DMZ server is not joined in the domain. 12

3. If the certificate is installed on the server you will be able to select/view the certificate in the setup assistance. Note: If you are unable to select/view the certificate, continue with the setup assistance and select the SSL certificate in IIS manager/default website/bindings/https/edit/. 4. The DMZ zone that hosts your public facing DNS records will need to be updated with a record providing an easier site name to for end users to remember. Note: Names such as http://pwreset.contoso.com or https://pwchange.contoso.com are commonly used conventions. 5. Verify that port 4371 in your firewall is open to the internal Specops Password Reset Server. 13

Install the Administration Tools Installing the Administration Tools will install the Specops Password Reset Configuration tool and the GPMC snap-in. You can use the Configuration tool to manage configurations that apply to your entire domain. You can use the GPMC snap-in to configure Specops Password Reset policies in a Group Policy Object. The GPO can then be applied to your entire domain or a part of your domain. The Administration Tools should be installed on the computer that you want to administer the product from. 1. From the Setup Assistant, select Administration Tools. 2. Click Add menu ext. to register the Specops Display Specifiers in the configuration partition of your Active Directory forest. 3. Click Install. 14

Installing the Client Installing the Client will present a link to the Specops Password Reset Web application on the Windows logon screen, and present end user notifications about enrollment requirements. The Client should be installed on all domain joined client machines and may be installed on any servers where access to the system is desired. Deploy the Client using GPSI You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain. Alternatively, you can use another deployment solution to install the client on the computers in your organization by downloading the msi-files. 1. From the Setup Assistant, select Deploy Specops Password Client using GPSI. 2. To select the Group Policy Object that will be used to deploy the client, click Select GPO. You will be given the following options: Option Create New GPO Option Select an existing GPO Step 1. Click Create New GPO. 2. Enter a new Group Policy Object name. 3. Select the location you want to link the Group Policy object. 4. Click OK. Step 1. Select an existing GPO from the list. 2. Select a link for the chosen GPO, and click OK. 3. Click Download to download the installation files for the Client. a. In the dialog box, click Download Files. b. When the dialog box is complete, click OK. Note: The files are copied to: C:\temp\SpecopsPassword_Setup[VersionNumber]\products\specopspasswordreset 4. To install the Client on all computers in your organization, you can: Option Create a network share on the local computer and copy the sentinel msipackage to the new network share Step 1. Click Create Share. 2. Select a local path to create the share for, and click OK. 3. Click Select share. 4. Verify that the network path to the network share you created is correct, and click OK. 15

Select an existing network share and manually copy the msi-package to the existing network share 1. Click Select Share 2. Browse to the location of the msi-package, and click OK. Note: It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing, verify that the setup files are copied to all servers before proceeding. 5. To create the packages for x86 and x64 deployments in the selected GPO, click Add Settings. Note: The Client Side Extension MSI will be deployed through a computer software installation and may not take effect until the computers have been restarted. Deploy the Client using Specops Deploy / App or other deployment tools If you are not deploying using Group Policy Software Installation (GPSI), you can download the Client for alternative deployment methods, such as Specops Deploy. 1. Download the Specops Client: https://download.specopssoft.com/release/client/specops.ureset.client-x64.msi https://download.specopssoft.com/release/client/specops.ureset.client-x86.msi 2. Double click the Specops.uReset.Client-x64 or Specops.uReset.Client-x86 Windows Installer Package. 3. Accept the terms in the License Agreement, and click Install. 4. Click Finish. 16

Post-installation configuration You will need to complete the following configuration settings once you have installed Specops Password Reset. 1. Import your license key. 2. Verify that your domain is configured for use with Specops Password Reset. 3. Enable authentication to the Password Reset Web Server. 4. Add members to the Specops Password Reset local security groups. 5. If using Secret Question authentication, ensure that users enroll in the system. 6. Install additional web servers you might want to use for external access. 7. Verify that the Specops Password Client is installed on your client machines. 8. Verify security settings for administrative accounts. 9. Configure access to Active Directory Fine-Grained Password Policies. 10. If you have installed the Mobile Access Web Service, configure your environment for use with the Mobile Access Web Service. 11. If you are using a proxy internally, you will need to add an exception to bypass authentication, and let the system browse to the Specops Password Reset web page without authentication. 17

Import your license key Enter your license key in the Password Reset Configuration Tool. 1. Open the Specops Password Reset Configuration Tool. 2. In the navigation pane, select License. 3. Click Import License. 4. Browse to the location of the TXT file, and click Open. 18

Verify that your domain is configured for use with Specops Password Reset 1. Open the Specops Password Reset Configuration Tool. 2. In the navigation pane, select Domains. 3. Verify that your domain is listed under Configured Domains. 19

Enabling authentication to the Password Reset Web Server Authentication to the Password Reset Web Server is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If Windows Integrated Authentication is not used, the user will be prompted for their username and password which will use Basic Authentication and send user information over HTTP. Enable integrated authentication in Internet Explorer 1. Open the Group Policy Management Console. 2. Right-click on the GPO node, and select Edit. 3. In the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page. 4. In the details pane, double-click Site to Zone Assignment List. 5. Click Enable. 6. Click Show. 7. In the Value name text field, add your URL. 8. In the Value text field, use the value 1 for entries into the trusted zone. 9. In the Show Contents dialog box, click OK. 10. Click OK to finish. Enable integrated authentication in Firefox You can configure Firefox to use Windows Integrated Authentication. 1. Open Firefox. 2. In the address bar type about:config 3. You will receive a security warning. To continue, click I ll be careful, I promise. 4. You will need to change the following settings: Setting Value network.negotiate-auth.delegationuris MySprServer.domain.com network.automatic-ntlm-auth.trusteduris MySprServer.domain.com network.automatic-ntlm-auth.allowproxies True network.negotiate-auth.allow-proxies True 20

Enable integrated authentication in Chrome To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher s OU. Use the command line You can add a chrome.exe shortcut on the user s desktop. Start Chrome with a command line containing the following: --auth-server-whitelist="mysprserver.domain.com" --auth-negotiate-delegatewhitelist="mysprserver.domain.com" --auth-schemes="digest,ntlm,negotiate" Modify the registry Configure the following registry settings with the corresponding values: Registry Value AuthSchemes Data type: String (REG_SZ) Windows registry location: Software\Policies\Google\Chrome\AuthSchemes Mac/Linux preference name: AuthSchemes Supported on: Google Chrome (Linux, Mac, Windows) since version 9 Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used. Value: "basic,digest,ntlm,negotiate" AuthServerWhitelist Data type: String (REG_SZ) Windows registry location: Software\Policies\Google\Chrome\AuthServerWhitelist Mac/Linux preference name: AuthServerWhitelist Supported on: 21

AuthNegotiateDelegateWhiteli st Google Chrome (Linux, Mac, Windows) since version 9 Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome. Value: "MYSPRSERVER.DOMAIN.COM" Data type: String (REG_SZ) Windows registry location: Software\Policies\Google\Chrome\AuthNegotiateDelegateWhit elist Mac/Linux preference name: AuthNegotiateDelegateWhitelist Supported on: Google Chrome (Linux, Mac, Windows) since version 9 Supported features: Dynamic Policy Refresh: No, Per Profile: No Description: Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet. Example value: "MYSPRSERVER.DOMAIN.COM" Configure GPO 1. Download Zip file of ADM/ADMX templates and documentation from: www.chromium.org/administrators/policy-templates. 22

2. Add the ADMX template to your central store. For more information, see the Specops Password Reset Administration Guide. 3. Configure a GPO with Specops Password Reset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist enabled. 23

Add members to the Specops Password Reset local security groups Access to the Administration Tools is controlled through local security groups on the Specops Password Reset server. Users and groups must be members of the local security groups in order to access the Administration Tools. 1. Open Computer Management. 2. In the console tree, click Groups. 3. Browse to the following Security Groups: Local security Group Specops Password Configuration Admins Specops Password Helpdesk Admins Specops Password Enrollment Agents Step 1. Right-click Specops Password Configuration Admins and select Properties. 2. Click Add. 3. Enter the name of the Users or Groups you want to select. 4. Click OK. Note: If more than one object matches the name, you will need to select one or more name from the list. 5. Click OK. 1. Right-click Specops Password Helpdesk Admins and select Properties. 2. Click Add. 3. Enter the name of the Users or Groups you want to select. 4. Click OK. Note: If more than one object matches the name, you will need to select one or more name from the list. 5. Click OK. 1. Right-click Specops Password Enrollment Agents and select Properties. 2. Click Add. 3. Enter the name of the Users or Groups you want to select. 4. Click OK. 24

Specops Password Reporting Admins Specops Password Reporting Readers Note: If more than one object matches the name, you will need to select one or more name from the list. 5. Click OK. 1. Right-click Specops Password Reporting Admins and select Properties. 2. Click Add. 3. Enter the name of the Users or Groups you want to select. 4. Click OK. Note: If more than one object matches the name, you will need to select one or more name from the list. 5. Click OK. 1. Right-click Specops Password Reporting Readers and select Properties. 2. Click Add. 3. Enter the name of the Users or Groups you want to select. 4. Click OK. Note: If more than one object matches the name, you will need to select one or more name from the list. 5. Click OK. 25

Install additional web servers you might want to use for external access Please refer to page 12 of this documentation, Install the Web Component in DMZ (If applicable). 26

If using Secret Question Authentication, ensure that users enroll in the systems For information about the different enrollment options and best practices, see Specops Password Reset Enrollment Options and Best Practices. 27

Verify that the Specops ureset Client is installed on your client machines Perform the following steps on the client to determine that the Specops ureset Client has been successfully installed. 1. View installed programs from the Control Panel: a. Open Programs and Features. b. In the list of installed programs, find Specops ureset Client. Note: You can also view the version of the Client. 2. View installed programs from the Registry. a. Open the registry editor. b. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client. Note: The above key will only exist after the ureset Client has been installed. 28

Verify security settings for administrative accounts Windows contains many built-in security features designed to enhance the security around administrative accounts. One of these features is the adminsdholder functionality, which automatically reconfigures the ACL on objects which are members of built-in privileged Active Directory groups. This process runs every 60 minutes on the PDC Emulator and will remove the inherited permissions of your Specops Password Reset service account from the protected user objects. If you want your administrative accounts to be able to use Specops Password Reset, you must manually add permissions for the service account to the AdminSDHolder container. 1. Log in with an account with Domain Admin permissions and run the following command: dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;" "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;" Example: dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\sprsvc:CCDC;classStore;" "EXAMPLE\sprsvc:LC;;" "EXAMPLE\sprsvc:CA;Reset Password;" "EXAMPLE\sprsvc:RP;userAccountControl;" "EXAMPLE\sprsvc:RPWP;mobile;" "EXAMPLE\sprsvc:RPWP;pwdLastSet;" "EXAMPLE\sprsvc:RPWP;lockoutTime;" 2. Replace <domaindn> and <serviceaccount> with the domain components of your domain and the name of the SPR service account. Note: Allowing Specops Password Reset to work with account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization. 29

Configure access to Active Directory Fine-Grained Password Policies If Specops Password Reset is installed in a domain where fine-grained password policies are used, the Specops Password Reset Service Account must be granted permissions to read the configured password policies. 1. Log in with an account with Domain Admin permissions and run the following command: dsacls CN=Password Settings Container,CN=System,<domainDN> /I:T /G <serviceaccount>:gr;; Example: dsacls CN=Password Settings Container,CN=System,DC=example,DC=com /I:T /G EXAMPLE\sprsvc:GR;; 2. Replace <domaindn> and <serviceaccount> with the domain components of your domain and the name of the SPR service account. 30

Configure your environment for use with the Mobile Access Web Service If you installed the Mobile Access Web Service as part of the Specops Password Reset Web installation, you will need to complete the below steps before the service is ready for use within your organization. 1. Make the mobile Access Web Service reachable from the internet: Your firewall must allow communication on tcp port 443 so mobile device can connect to the service through https. 2. Enable service discovery: For the device to find the Mobile Access service, the application will require the user to enter their email address. The domain part of the email address will be used to make a DNS query to find a service record for the Mobile Access Web Service in the email zone. This requires each DMZ zone to be updated with a new service record point to the Password Reset Mobile Access Service. 3. Create the Specops Password SRV record: The service record should be created in your mail enabled external DMZ zone by you or your ISP depending on who manages the zone data. The following settings should be used when creating the service record: DNS record part Value Explanation _service _specopspassword The name of the service. _protocol _tcp The _specopspassword service is accessed over tcp. Zone Name [zone] This part is the name of your internet zone. The full name of the service record for the example.com domain would be: _specopspassword._tcp.example.com. TTL [TTL] The time (in seconds) the record may be cached before it is considered obsolete. Every zone has a default TTL value, but it is also possible to create separate TTLs for each record. Class IN The standard DNS class field, This is always IN. 31

Priority 0 If more than one target host exists for the service record the priority determines the preference between targets. Lower values mean higher preference. Port 443 The _specopspassword service is accessed over SSL on port tcp/443. If this configuration in changed on the web server the port data in the SRV record needs to reflect this as well. Target [target FQDN] The target is the FQDN of the host running the Specops Password Reset Web Service. For a host called spr in the example.com domain, the target would be: spr.example.com The complete record to connect clients to the host spr.example.com might look like this: _specopspassword._tcp.example.com 86400 IN 0 0 443 spr.example.com 4. Test the service record: The service record can be tested by running the following command: nslookup -type=srv _specopspassword._tcp.[your_domain_name] 8.8.8.8 Expected response: nslookup -type=srv _specopspassword._tcp.example.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: _specopspassword._tcp.example.com SRV service location: priority = 0 weight = 0 port = 443 svr hostname = spr.example.com 32

Appendix 1: Installing the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store If you configured the Specops Password Reset web server to use a self-signed SSL certificate, users will receive a warning when visiting the web server. To prevent this error, you can use GPOs to install a self-signed certificate as a trusted root CA certificate. Note: It is not recommended to use a self-signed server authentication certificate in a production environment. Install the Self-Signed SSL certificate into the Trusted Root Certificate Authorities Store 1. Open Microsoft Management Console. 2. Select File, and click Add/Remove Snap-in 3. Select the Certificates snap-in, and click Add. 4. Select Computer account, and click Next. 5. Select Local computer, and click Finish. 6. Click OK. 7. In the left pane, expand Certificates (Local Computer). 8. Expand the Personal node, and click Certificates. 9. Right-click on the newly created certificate, select All Tasks, and click Export 10. The Certificate Export Wizard will open. Click Next to continue. 11. Verify No, do not export the private key is selected, and click Next. 12. Verify DER encoded binary is selected, and click Next. 13. Specify a file name with.cer extension, and click Next. 14. Click Next. 15. Click Finish. Deploy the Self-Signed certificate using Group Policy Objects 1. Open Group Policy Management Console. 2. Select a GPO that affects all computers that will be used with Specops Password Reset. 3. Right-click on the GPO, and click Edit 4. Browse to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies. 5. Right-click Trusted Root Certification Authorities, and select Import. 6. The Certificate Import Wizard will open. Click Next to continue. 7. Click Browse to select the file that was previously exported, and click Open. 8. Click Next.

9. Ensure that certificate is placed in the Trusted Root Certification Authorities store is selected, and click Next. 10. Click Finish. The settings will be applied to all affected computers during the next Group Policy refresh interval. 34

Support Congratulations! You have successfully installed and configured Specops Password Reset. For more information, you can find the Administration Guide at: http://www.specopssoft.com/support-docs/specops-password-reset/administration/ Online We recommend submitting your case directly on our website at: http://www.specopssoft.com/support-contact/ Telephone International +46 8 465 012 50 Monday - Friday: 09:00-17:00 CET North America +1-877-SPECOPS (773-2677) Monday - Friday: 09:00-17:00 EST 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback