Password Reset for Remote Users

Similar documents
VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Welcome to Remote Access Services (RAS) Virtual Desktop vs Extended Network. General

Please contact technical support if you have questions about the directory that your organization uses for user management.

CCNA Security v2.0 Chapter 3 Exam Answers

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

DIVAR IP 3000 Field Installation Guide

High Security SaaS Concept Software as a Service (SaaS) for Life Science

Introduction to Mindjet on-premise

CaseWare Working Papers. Data Store user guide

Virtual Office

Launching Xacta 360 Marketplace AMI Guide June 2017

BMC Remedyforce Integration with Bomgar Remote Support

Kaltura Video Extension for SharePoint 2013 Deployment Guide for Microsoft Office 365. Version: 1.0

Wave IP 4.5. CRMLink Desktop User Guide

ABELMed Platform Setup Conventions

Avigilon Control Center Virtual Matrix User Guide. Version 6.8

SMART Room System for Microsoft Lync. Software configuration guide

MySabre API RELEASE NOTES MYSABRE API VERSION 2.0 (PART OF MYSABRE RELEASE 7.0) OCTOBER 28, 2006 PRODUCTION

Access SelectPay. Installation Instructions

Upgrade Guide. Medtech Evolution General Practice. Version 1.9 Build (March 2018)

Avigilon Control Center Server User Guide. Version 6.4

BMC Remedyforce Integration with Remote Support

Group Policy Manager Quick start Guide

MySabre API RELEASE NOTES MYSABRE API VERSION 2.1 (PART OF MYSABRE RELEASE 7.1) DECEMBER 02, 2006 PRODUCTION

The screenshots/advice are based on upgrading Controller 10.1 RTM to 10.1 IF6 on Win2003

DC Remote Control Installation and Configuration Guide. Version 1.2

September 24, Release Notes

Upgrade Guide. Medtech Evolution Specialist. Version 1.11 Build (October 2018)

CROWNPEAK DESKTOP CONNECTION (CDC) INSTALLATION GUIDE VERSION 2.0

Admin Report Kit for Exchange Server

Enterprise Installation

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

TPP: Date: October, 2012 Product: ShoreTel PathSolutions System version: ShoreTel 13.x

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

These tasks can now be performed by a special program called FTP clients.

AvePoint Timeline Enterprise for Microsoft Dynamics CRM

Element Creator for Enterprise Architect

Frequently Asked Questions

LiveEngage and Microsoft Dynamics Integration Guide Document Version: 1.0 September 2017

Shavlik Protect. Migration Tool User s Guide

Dell Chassis Management Controller (CMC) Version 1.35 for Dell PowerEdge VRTX. Release Notes

Cisco Smart Software Manager satellite

Frequently Asked Questions

econtrol 3.5 for Active Directory & Exchange Installation & Update Guide

ABELDent Platform Setup Conventions

App Orchestration 2.6

ADSS Server Evaluation Quick Guide

IMPORTING INFOSPHERE DATA ARCHITECT MODELS INFORMATION SERVER V8.7

UPGRADING TO DISCOVERY 2005

Internet Explorer Configuration Reference

Telkom VPN-Lite router setup User Manual Billion 800VGT

Telkom VPN-Lite router setup User Manual Billion 810VGTX

Avigilon Control Center Server User Guide. Version 6.8

Aras Innovator 11. Client Settings for Internet Explorer on Windows

Element Creator for Enterprise Architect

Dolby Conference Phone Support Frequently Asked Questions

Service Level Agreement

SAS Hot Fix Analysis, Download and Deployment Tool

Contents: Module. Objectives. Lesson 1: Lesson 2: appropriately. As benefit of good. with almost any planning. it places on the.

Password Management Guidelines

Notes Migrator CMT Requirements December 11, 2017

Release Notes. Dell SonicWALL Security BETA

Single File Upload Guide

I. Introduction: About Firmware Files, Naming, Versions, and Formats

Oracle Universal Records Management Oracle Universal Records Manager Adapter for Documentum Installation Guide

Getting Started with the SDAccel Environment on Nimbix Cloud

TechSmith Relay 5.1.5

WorldShip PRE-INSTALLATION INSTRUCTIONS: INSTALLATION INSTRUCTIONS: Window (if available) Install on a Single or Workgroup Workstation

NCTA-Certified Cloud Technologist (NCT) Exam NCT-110

Quest InTrust Connector for Microsoft System Center Operations Manager User

AvePoint Accessibility Accelerator 2.0

Milestone XProtect. NVR Installer s Guide

Connect+/SendPro P Series Networking Technical Specification

Refreshing Axiom TEST with a Current Copy of Production Axiom EPM June 20, 2014

Service Level Agreement

TIBCO Statistica Options Configuration

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

Quick Guide on implementing SQL Manage for SAP Business One

iallworx User s Guide

Dashboard Extension for Enterprise Architect

USER MANUAL. RoomWizard Administrative Console

Announcing Veco AuditMate from Eurolink Technology Ltd

How to set up Dell SonicWALL Aventail SRA Appliance with OPSWAT GEARS Client

Proficy* SmartSignal 6.1 Installation Guide

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Power365. Quick Start Guide

IT Essentials (ITE v6.0) Chapter 8 Exam Answers 100% 2016

CXD Citrix XenDesktop 5 Administration

HP Server Virtualization Solution Planning & Design

Microsoft Excel Extensions for Enterprise Architect

STIDistrict AL Rollover Procedures

TDR and Trend Micro. Integration Guide

FollowMe. FollowMe. Q-Server Quick Integration Guide. Revision: 5.4 Date: 11 th June Page 1 of 26

CSC IT practix Recommendations

WinEst 15.2 Installation Guide

Apache Solr for FSI SERVER. User Manual. Version 4.5

Secure Remote Access (SRA) Service Description

1 Getting and Extracting the Upgrader

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Transcription:

1 Passwrd Reset fr Remte Users Curin prvides a cmpnent fr the PasswrdCurier Passwrd Prvisining System that manages the lcal passwrd cache in cnjunctin with self-service passwrd reset activities. The slutin prvides a seamless experience fr the end user, whether they are a user wh is cnnected t the crprate netwrk r a remte user.

Passwrd Reset fr Remte Users Table f Cntents 1. INTRODUCTION... 2 2. LOCAL PASSWORD CACHE... 3 2.1 ACCESSING NETWORK RESOURCES... 3 2.2 LOGON WHEN DOMAIN IS UNAVAILABLE (REMOTE USER)... 3 3. DEPLOYMENT CHALLENGES... 3 3.1 WEB-BASED SELF-SERVICE CHANGE... 3 3.2 REMOTE USER SELF-SERVICE RESET... 4 4. HOW DOES IT WORK... 4 5. DEPLOYING PASSWORDCOURIER... 5 5.1 WEB-BASED SELF-SERVICE CHANGE... 5 5.2 REMOTE USER SELF-SERVICE RESET... 5 5.2.1 Desktp Deplyment Steps... 5 5.2.2 Remte User Experience... 7 5.3 DISTRIBUTION METHOD... 8 6. TRAINING AND ADOPTION... 8 ABOUT COURION... 9 Table f Figures FIGURE 1 UPDATING THE LOCAL PASSWORD CACHE... 4 FIGURE 2 - KIOSK ACCOUNT... 6 FIGURE 3 - PROFILELIST REGISTRY KEY... 6 FIGURE 4 - KIOSK ACCOUNT PROFILE INFORMATION... 7 FIGURE 5 - CHANGE THE SHELL... 7 1. Intrductin Curin prvides a cmpnent fr the PasswrdCurier Passwrd Prvisining System that manages the lcal passwrd cache in cnjunctin with self-service passwrd reset activities. The slutin prvides a seamless experience fr the end user, whether they are a user wh is cnnected t the crprate netwrk r a remte user. The lcal desktp passwrd cache in Micrsft Windws is used t streamline the lgn prcess and use f credentials n the desktp. Fr a smth end user experience, interactin with the lcal passwrd cache must be cnsidered when deplying PasswrdCurier. The mst seamless end user experiences with passwrd management incrprate elements that manage the lcal passwrd cache. Several passwrd reset deplyment scenaris with lcal cache cnsideratins are discussed in this dcument. 2

Passwrd Reset fr Remte Users 2. Lcal Passwrd Cache The lcal passwrd cache in Windws simplifies the end user experience fr netwrk access and netwrk lgn. The cache itself resides n each Windws system where users lgn interactively. By default the last 10 lgns are cached and stred in a prtected area f the Windws registry and in prcess memry. The Windws perating system manages the lcal passwrd cache. Fr example: an interactive lgn adds a cache entry an end user passwrd change initiated with ctrl-alt-del updates the passwrd cache. 2.1 Accessing Netwrk Resurces When access t a netwrk resurce is requested by a user, the credentials (username and passwrd pair) are retrieved frm the cache (if they are stred) and prvided t the resurce. This remves the need t interactively prmpt the user fr their credentials each time a netwrk resurce is requested. 2.2 Lgn When Dmain is Unavailable (Remte User) Users may be authenticated against the cached credentials rather than the Windws dmain. This is mst useful when the user is remte and netwrk cnnectivity has nt been established t the dmain r when the dmain is unavailable. Lgn verifies the username/passwrd pair against the cached credentials, lgs the user n, and grants them access t the Windws Desktp fr their dmain accunt. 3. Deplyment Challenges PasswrdCurier administratrs must cnsider hw passwrd management peratins interact with the lcal passwrd cache in a deplyment. 3.1 Web-Based Self-Service Change Passwrd changes initiated with the PasswrdCurier Web Access Optin need t interact with the lcal passwrd cache when the Windws accunt is lgged n. Withut the prper management f the cache, ld credentials that are resident in the cache are presented when a netwrk resurce is accessed. Because the credentials are ld (invalid), authenticatin fails, and the accunt may becme lcked ut with repeated access attempts. Fr example: Chris Smith is lgged int the dmain CORPDOMAIN using accunt csmith with passwrd abcd1234 Chris initiates a synchrnized passwrd change in PasswrdCurier using the web access ptin: Chris changes the passwrd fr CORPDOMAIN\csmith t wxyz7890. The passwrd change fr CORPDOMAIN (and ther targets) succeeds. At this pint the dmain passwrd and the cache passwrd are ut f sync: The passwrd in CORPDOMAIN is wxzy7890 The passwrd in the desktp lcal cache is abcd1234. Chris launches Micrsft Outlk : Micrsft Outlk presents the ld cached credentials t the Exchange Server The authenticatin fails, and the invalid lgn attempt cunt is incremented. This prcess repeats until the csmith accunt is lcked ut. 3

Passwrd Reset fr Remte Users 3.2 Remte User Self-Service Reset Remte users typically lgn and authenticate against credentials in the lcal passwrd cache t gain access t their desktp. Then they establish VPN cnnectivity t the dmain and netwrk resurces. In this scenari, the Windws dmain is nt available prir t lgn. If the user frgets the passwrd (as stred in the lcal passwrd cache), they cannt lgn and cannt get t a desktp. Hence they cannt access an autmated slutin. They have a few ptins: The user may lgn using a different lcal accunt The user may lgn with a different dmain accunt that is cached The user may wait until the system is cnnected directly t the crprate netwrk (may wrk fr laptps but nt fr remte ffices) Self-service reset may be initiated n the telephne. But telephne-based slutins reset the passwrd in the Windws dmain, but d nt update the passwrd stred in the lcal cache. 4. Hw Des It Wrk Curin prvides an ActiveX cntrl (CurLcalCntrl) that manages the lcal passwrd cache during a passwrd reset actin. The cntrl is incrprated int the Web Access Optin fr PasswrdCurier. After a successful reset, the CurLcalCntrl is laded in the web brwser that is running n the user s desktp. The cntrl uses a Windws API call t cmmunicate with the Windws dmain where the reset ccurred and update the lcal passwrd cache. NOTE: the CurLcalCntrl requires netwrk cnnectivity t the Windws dmain cntrller, whether thrugh a VPN cnnectin r thrugh a hard wired cnnectin. Als, the web brwser security settings must allw the CurLcalCntrl (ActiveX) t execute. The fllwing scenari illustrates the use f the Web Access Optin. Figure 1 Updating the Lcal Passwrd Cache 4

Passwrd Reset fr Remte Users 5. Deplying PasswrdCurier 5.1 Web-Based Self-Service Change This scenari is easily slved. As described in the previus sectin, the CurLcalCntrl is used with the PasswrdCurier Web Access Optin t update the lcal credential cache n the desktp where the web brwser is running. The user is already lgged n. A successful web-based reset is executed n the Windws dmain accunt. CurLcalCntrl updates the cache n the desktp where the brwser is running, fr the dmain accunt. The user cntinues their day-t-day activities withut interruptin f service. 5.2 Remte User Self-Service Reset Remte users in need f a lcal cache reset face a unique challenge: they d nt have access t the Windws dmain cntrller. A kisk apprach is used t address this prblem. Lg in with a lcal accunt (kisk accunt) that has limited access. Netwrk cnnectivity t the dmain cntrller is established (required by the CurLcalCntrl). The Internet Explrer brwser is started in kisk mde and launches PasswrdCurier. CurLcalCntrl is used in the same fashin t update the lcal passwrd cache. 5.2.1 Desktp Deplyment Steps Cnfiguratin steps are needed n each system that supprts passwrd reset fr remte, discnnected users. Successful adptin requires that emplyees be aware f the slutin and trained n hw t use it. This is discussed further in the next sectin f this dcument. 1. Create a lcal accunt n the desktp system with limited privileges (least privilege). 2. Set the prperties n the accunt s the user cannt change the passwrd and the passwrd shuld nt expire. Yur security plicy determines whether a passwrd is required. 5

Passwrd Reset fr Remte Users Figure 2 - Kisk Accunt 3. Determine the security identifier (SID) f the kisk accunt. Lgin as the kisk user, in this example curinreset. Use the registry editr t find the SID f the kisk accunt. View HKLM\Sftware\Micrsft\Windws NT\CurrentVersin\PrfileList. Figure 3 - PrfileList Registry Key 4. Brwse the SIDs, and use the data in the right pane t find the kisk accunt. 6

Passwrd Reset fr Remte Users Figure 4 - Kisk Accunt Prfile Infrmatin 5. Cnfigure the kisk accunt t launch a web brwser in kisk mde immediately after successful lgn, making nly the PasswrdCurier web pages available. Use the registry editr t pen the SID fr the kisk accunt under HKEY_USERS. HKEY_USERS\Sftware\Micrsft\Windws NT\CurrentVersin\WinLgn Create a new string value under the SID named Shell. Add a value fr Shell that starts Internet Explrer in kisk mde and lads an initial web page fr PasswrdCurier. C:\Prgram Files\Internet Explrer\iexplre.exe k https://<<url>> NOTE: duble qutes are required because f spaces in the pathname. Figure 5 - Change the Shell 6. Define a lgin script that establishes netwrk cnnectivity t the dmain cntrller. Typically it will create a VPN cnnectin. 7. Verify that executin f the CurLcalCntrl ActiveX cntrl is allwed. 8. Test the kisk accunt with PasswrdCurier. 5.2.2 Remte User Experience The remte user cmmunity must be trained t fllw these steps t initiate a reset f their cached passwrd. In this scenari, Chris Smith (ur emplyee) is traveling with a laptp and has frgtten the cached passwrd. Chris is cnnected t the Internet cnnectin in a htel. 1. User Chris Smith (csmith) attempts t lgin with the CORPDOMAIN\csmith accunt, but has frgtten the passwrd, r the passwrd is nt cntained in the lcal cache. 2. Chris cannt access the Windws desktp, and des nt have access t the brwser. 7

Passwrd Reset fr Remte Users 3. Chris culd initiate a reset ver the telephne, but this reset des nt update the cache n the laptp in the htel rm (i.e., n cnnectivity t crprate resurces). 4. Chris lgs in with a lcal accunt named MYLAPTOP\reset. N passwrd is needed. a. The accunt lgs in. b. A script is run t silently establish a VPN cnnectin. c. The brwser is launched, pinting t the PasswrdCurier web pages. 5. Chris authenticates and selects the crprate dmain, CORPDOMAIN fr reset. 6. Upn a successful reset, the CurLcalCntrl is dwnladed and updates the laptp s lcal passwrd cache with the new passwrd. 7. Chris uses ctrl-alt-del t lgut a. An alternate apprach autmatically lgs ut after the reset status is shwn in PasswrdCurier. 8. Chris lgs in again with CORPDOMAIN\csmith and the new passwrd. a. Lgin is successful because the cache has been updated. 9. Chris prceeds with the nrmal activities such as launching the VPN, starting Outlk and accessing netwrk drives. 5.3 Distributin Methd Windws XP Users will require "Enable Autmatic prmpting fr ActiveX cntrls" t be set in the security ptins fr Internet Explrer t dwnlad the cntrl. If this is nt enabled, the dwnlad message bar frm Micrsft frces a page refresh t dwnlad the cntrl. Recmmended distributin methds: 1. Distribute the cntrl via Active Directry plicy. 2. Distribute the cntrl with Direct! via a silent installatin. A script which distributes the cntrl must cntain the fllwing: cpy CurLcalCntrl.dll t system32 cpy CurLcalMsg.dll t system32 regsvr32 /s CurLcalCntrl.dll Windws 2000 Users require 'act as part f the OS' Grup Plicy settings. 6. Training and Adptin Successful adptin f an autmated slutin requires that emplyees be aware f the slutin and trained n hw t use it. It is nt sufficient t deply the slutin. The mst benefit and ROI is achieved when the slutin is widely used and expensive calls t the supprt center are avided. Curin s Self-Service Attainment (SSA) Prgram prvides a cmprehensive set f guidelines, cncrete actins and prfessinal supprt t accelerate end user adptin f yur self service applicatins. Typically SSA (prmtin, educatin and training) targets bth the users f the self-service slutin and the supprt staff emplyees wh typically wrk with the end user cmmunity. 8

Passwrd Reset fr Remte Users Trademarks (c)1996-2011 by Curin Crpratin. All rights reserved. Curin, the Curin lg, AccuntCurier, CertificateCurier, PasswrdCurier, and PrfileCurier are all registered trademarks f Curin Crpratin. Access Assurance Suite, AuditLink, DIRECT!, CmplianceCurier, Dynamic Cmmunity, the ez Install lg, IdentityLInk, IdentityMap, Plicy Publisher, PlicyLink, AssetLink, and ServiceLink are trademarks f Curin Crpratin. Micrsft Crpratin, Micrsft Windws 98, 2000, Micrsft Windws NT, Micrsft Excel, Micrsft Access, Micrsft Internet Explrer, and SQL Server are either registered trademarks r trademarks f Micrsft Crpratin in the United States and/r ther cuntries. Micrsft is a U.S. registered trademark f Micrsft Crp. All ther prducts and cmpanies mentined in this dcument may be the trademarks f their assciated rganizatins. ABOUT COURION Curin s award-winning Access Assurance slutins are used by mre than 450 rganizatins and ver 12 millin users wrldwide t quickly and easily slve their mst cmplex identity and access management (passwrd management, prvisining, and rle management), risk and cmpliance challenges. Curin s business-driven apprach results in unparalleled custmer success by ensuring users access rights and activities are cmpliant with plicy while supprting bth security and business bjectives. Fr mre infrmatin, please visit ur website at www.curin.cm, ur blg at http://blg.curin.cm/, r n Twitter at http://twitter.cm/curin. Cpyright 2008 Curin Crpratin. Curin, the Curin lg, AccessAssurance Suite, AccuntCurier, RleCurier, CmplianceCurier, PasswrdCurier, PrfileCurier, and CertificateCurier are registered trademarks r trademarks f Curin Crpratin. All ther cmpany and prduct names may be trademarks f their respective wners. PWCRU001-05-08 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback