Article ID: 2443871 - Last Review: October 21, 2011 - Revision: 6.0

FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

On This Page

Expand all | Collapse all

SUMMARY

Important

The changes that are outlined in this document have to be implemented in a test environment before you deploy the change to a production environment.

Server certificates are required on any domain controller that holds, or may hold, the PDC emulator FSMO role. This change should be discussed with the appropriate IT groups to make sure correct testing and rollout of LDAP SSL in the production environment.

If a problem occurs in production where Self-Service Password Reset no longer works after you implement this change, disable the new functionality in the Registry to return FIM to the original SSPR functionality.
Back to the top

Password Reset

Password reset in the Active Directory is historically been done in proxy by helpdesk personnel or user administrators. In this scenario, it is important to buffer those working in proxy from the end-user’s password history to preserve security.
With the release of Microsoft Forefront Identity Manager (FIM) 2010, Microsoft offers an application that enables end-users to reset their passwords without calling helpdesk. In this scenario, it is important to enforce all password policies so that users do not use the Self-Service Password Reset functionality in FIM to bypass organizational policies.
Until this change, all Windows APIs available to reset passwords in the domain did not enforce all domain password policies. This document describes how to install and configure Self-Service Password Reset in FIM 2010 to enforce all password policies configured in the domain.
Back to the top

Password Operations in the Active Directory Management Agent in FIM 2010

Since MIIS 2003, the Active Directory management agent uses the Kerberos APIs for both Change Password and Reset Password operations. With the change described in this document, a new way of resetting passwords is added to the Active Directory management agent. You can use LDAP APIs over an LDAP SSL connection.
Back to the top

Overview Steps to enable Password Policy Enforcement in FIM SSPR

  • Install the hotfix update for Windows Server 2008 R2 or for Windows Server 2008 on the domain controller with the PDC emulator role.
  • Install the following Forefront Identity Manager (FIM) 2010 updates for the FIM server components:
    • The FIM Synchronization Service update
    • The update of FIM Portal and Service
  • Configure for LDAP over SSL connections between the FIM Synchronization Service and PDC Emulator role owner. Enable Self-Service Password Reset to enforce all domain password policies that use the ADMAEnforcePasswordPolicy registry value.
Back to the top

MORE INFORMATION

File and Installation Information

Components for both Windows Active Directory and Forefront Identity Manager must be installed to enable this new functionality.

Collapse this tableExpand this table
ComponentArticle TitleHotfix Download URL
Windows Server 2008 R2The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computerhttp://support.microsoft.com/hotfix/kbhotfix.aspx?kbnum=2386717 (http://support.microsoft.com/hotfix/kbhotfix.aspx?kbnum=2386717)
Windows Server 2008The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computerhttp://support.microsoft.com/hotfix/kbhotfix.aspx?kbnum=2386717 (http://support.microsoft.com/hotfix/kbhotfix.aspx?kbnum=2386717)
Forefront Identity Manager 2010Hotfix Package Build 4.0.3561.2 for Microsoft Forefront Identity Manager (FIM) 2010http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2417774 (http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2417774)

Back to the top

Installation Instructionsf

Domain Controller Overview

Requirements
  1. You must have a Windows Server 2008 R2-based or Windows Server 2008-based Domain Controller.
  2. You must own the PDC Emulator role in the domain.
    • FIM accesses the PDC emulator for all password reset operations.
    • Each domain hosting users who will reset their passwords through FIM must have the DC with the PDC Emulator role updated with this hotfix build.
  3. You must have Lightweight Directory Access Protocol (LDAP) over SSL Communications between the FIM Synchronization Service and the domain controller installed.
    • For LDAP over SSL to work correctly, the DC must have a server certificate (Domain Controller certificate template).
    • Basics of the certificate requirements is documented in the following KB article:321051  (http://support.microsoft.com/kb/321051/ ) How to enable LDAP over SSL with a third-party certification authority.
    • Instructions for configuring Active Directory Certificate Services are in Appendix 1 of this document.

Installing the hotfix update for Windows

Use the Run as Administrator option when you run the appropriate executable documented in the following table on the domain controller.
Collapse this tableExpand this table
FilenamePlatform
Windows6.1-KB2386717-ia64.msuia64
Windows6.1-KB2386717-x64.msux64
Windows6.1-KB2386717-x86.msux86
Windows6.0-KB2386717-x64.msux64
Windows6.0-KB2386717-x86.msux86


To make sure that the hotfix is installed as expected, LDP.exe can be used to check for the new LDAP control that is installed with the hotfix. LDAP control information is returned in the “supportedControl” attribute in the RootDSE.
New Control OID: "1.2.840.113556.1.4.2066"
Please see Appendix 4 for more information about checking the RootDSE for this new control that uses ldp.exe.
FIM 2010 Server Components
Download and then install the following FIM 2010 server components:
  • FIM Synchronization Service
  • FIM Service
  • FIM Portal

Configuration Steps

LDAP over SSL Connections
The basic requirements for establishing an LDAP connection over SSL to a domain controller:
  1. The domain controller must have a certificate issued to it based on the Domain Controller certificate template.
    Note Appendix 1 has information on how to perform this in a simple scenario.
  2. The FIM Service server must trust the CA that issued the certificate to the Domain Controller.
    Note Information on how to perform this is in Appendix 1 of this document.

Enabling Password Policy Enforcement in FIM 2010

Enabling password history enforcement in FIM 2010 is finished by making a registry setting. This must be configured for each Active Directory management agent on which we want to enable password policy enforcement.
Important By default, this setting is disabled for all Active Directory management agents.
Note In the following Registry Key example, <ma name> should be replaced with the name of the Active Directory MA to be configured.
Registry Key:
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>

Registry Value:Set ADMAEnforcePasswordPolicy = 1 to enforce password history. All other values are interpreted as turning off the new functionality.

Testing and Troubleshooting

The appendixes at the end of this document provide additional information that may be helpful when you configure a simple test environment. There are also links for troubleshooting LDAP over SSL connections.

Appendix 1: Set Up A Simple Test Configuration


Note The steps in this appendix are not meant to be used in a Production environment. The planning and deployment of certificates in the production environment should be carefully considered for the whole security infrastructure of the network.

Enable LDAP SSL in a Test Environment that uses Active Directory Certificate Services to issue the server cert to the domain controller.

Install Active Directory Certificate Services

  1. Open Server Manager.
  2. Select Roles, and then click Add Roles in the center pane.
  3. In the Select Server Roles window, select Active Directory Certificate Services, and then click Next.
  4. Select Certification Authority and Certification Authority Web Enrollment in the role services list, and then click Next.
  5. In the Specify Setup Type window, select the Enterprise option, and then click Next.
  6. In the Specify CA Type window, select the Root CA option and then click Next.

Configuring the Domain Controller Certificate Template to enable Enrollment

  1. Check the Domain Controller certificate template Security properties to make sure Domain Controllers have the Enroll permission.
    1. In the Server Manager, expand the Active Directory Certificate Services role.
    2. Click to select Certificate Templates.
    3. In the list of certificate templates, click to view the properties of the Domain Controller certificate template.
    4. Click the Security tab.
    5. Click the Domain Controllers security identity.
    6. Confirm the Enroll permission is granted.
  2. Make sure that the Domain Controller certificate template is published in the Certification Authority.
    1. In the Active Directory Certificate Services tree, expand the Certification Authority tree that has the same name as given to the Certification Authority on setup.
    2. Under the Certification Authority tree, click the Certificate Templates container
    3. Check the right side pane to make sure that the Domain Controller certificate template is listed.
    4. If the Domain Controller certificate template is not listed, follow these steps:
      1. Right-click the Certificate Templates folder again.
      2. Rest your mouse on New.
      3. Click to select Certificate Template to Issue.
      4. In the Enable Certificate Templates dialog box, click to select Domain Controller certificate template.
      5. Click OK to save the changes
You are now ready to request a new certificate for your domain controller based on the Domain Controller certificate template.

Requesting a Certificate for the Domain Controller

On the Domain Controller
  1. Run the mmc.exe utility.
  2. In the File menu, select Add/Remove snap-in.
  3. Select Certificates.
  4. When you are prompted, select Computer Account and then click Next.
  5. Select the local computer account and then finish adding the snap-in.
  6. In the Certificates (local computer) snap-in, expand the tree.
  7. Click to select the Personal folder.
  8. From the Action menu, select All Tasks / Request New Certificate.
  9. On the screen that asks you to select the Certificate Enrollment Policy, accept the default and then click Next.
  10. Click the check-box next to Domain Controller and then click Enroll.

Click the check-box next to “Domain Controller” and then click the “Enroll” button

Trusting the Root CA on the FIM Sync computer

On the Certification Authority computer
  1. Run the mmc.exe utility.
  2. In the File menu, select Add/Remove snap-in.
  3. Select Certificates.
  4. When you are prompted, select Computer Account and then click Next.
  5. Select the local computer account and then finish adding the snap-in.
  6. In the Certificates (local computer) snap-in, expand the tree.
  7. Click to select the Personal folder.
  8. Click the Certificates folder under the Personal folder.
  9. Locate the certificate that is issued to the CA name by the CA name.
  10. Right-click the certificate and select All Tasks / Export
  11. Accept the default settings until you are prompted for a file name.
  12. Provide a path and file name for saving the certificate.
  13. Complete the export process.
  14. Copy the resulting certificate file to the server that hosts the FIM Synchronization Service.
On the FIM Synchronization Service computer
  1. Run the mmc.exe utility.
  2. In the File menu, select Add/Remove snap-in.
  3. Select Certificates.
  4. When you are prompted, select Computer Account and then click Next.
  5. Select the local computer account and then finish adding the snap-in.
  6. In the Certificates (local computer) snap-in, expand the tree.
  7. Click to select the Trusted Certificate Root Authorities folder.
  8. Right-click and on the shortcut menu select All Tasks / Export
  9. Locate where you save the root CA certificate in the previous steps.
  10. Complete the import process.
You are now ready to test the LDAP over SSL connection between the FIM Synchronization Service server and the PDC Emulator domain controller.

Checking the LDAP over SSL connection to the PDC

Install the Remote Domain Admin Tools

  1. Open a cmd.exe prompt by using the Run as administrator option
  2. Type the following command, then press the ENTER key.
    Note A restart may be required.
    ServerManagerCmd –install rsat-adds
    Ldp.exe is now available

Using Ldp.exe to test the LDAP over SSL connection

  1. Start Ldp.exe.
  2. On the File menu, click Connect.
  3. Type the dnsHostName (FQDN) of the domain controller that owns the PDC Emulator role.
  4. Change the Port number to 636.
  5. Click to enable SSL.
  6. Click OK.
On the right side pane of ldp.exe, it should provide rootDSE information for the successful connection.
If you notice that the connection does not occur, please use the following KB article to troubleshoot:
938703  (http://support.microsoft.com/kb/938703/ ) How to troubleshoot LDAP over SSL connection problems
Test the LDAP SSL Connection by using Ldp.exe
Resulting Text in the LDP results window:
Collapse this imageExpand this image
LDP.exe Connect Properties for LDAP over SSL


Notice how the server name in the ldap_sslinit() method matches the dnsHostName that is returned in the rootDSE information. The following certificate screen shot shows the name that the certificate is issued to matches this name as well. It is very important for all of these to match. Otherwise the LDAP connection fails and “schannel” logs an error in the event log.
Output from the right side pane of LDP.exe after you make the connection
DC Certificate for Comparison
Collapse this imageExpand this image
Example Server Certificate for the Domain Controller


Notice that the server certificate is also issued to the same dnsHostName. Having all of these match is very important to make an LDAP SSL connection.

Appendix 2: Frequently Asked Questions

Question Will this work if I install a Windows Server 2008 R2 domain controller as the PDC Emulator in a Windows Server 2003 or Windows Server 2008 domain? Answer Yes. This functionality is enabled by an LDAP control that is hosted on the PDC emulator. As long as that control is found on the PDC emulator, this will work as expected.
Question If I install this update on an existing FIM deployment, will it break the current Self-Service Password Reset configuration?
Answer No. By default, this new functionality is disabled in the Active Directory management agent. The following registry information is used to enable the new functionality.

Registry Key
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
Collapse this tableExpand this table
Registry Value NameValuesClassCreated byExplain
ADMAEnforcePasswordPolicydwordHKLMAdmin1- true, everything else is false

Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.

Note:

This setting is only supported on FIM build version 4.0.3561.2 and later versions.

Note:

This is only supported where the domain controller is as follows:
· Windows Server 2008 R2 with KB2386717
· Windows Server 2008 R2 SP1
· Windows Server 2008 with KB2386717

Question What is the change to the WMI MIIS_CSObject.SetPassword method to enable this functionality?
Answer
string SetPassword( [in] string NewPassword,
 [in] bool ForceChangeAtLogon,
 [in] bool UnlockAccount
 [in] bool ValidatePasswordPolicy
);
Parameters



Collapse this imageExpand this image
SetPassword Paramters




Appendix 3: Additional Resources

Current documentation for LDAP over SSL configuration & Troubleshooting

For more information about how to enable LDAP over SSL with a third-party certification authority, click the following article number to view the article in the Microsoft Knowledge Base:
321051  (http://support.microsoft.com/kb/321051/ ) How to enable LDAP over SSL with a third-party certification authority
For more information about how to troubleshoot LDAP over SSL connection problems, click the following article number to view the article in the Microsoft Knowledge Base:
938703  (http://support.microsoft.com/kb/938703/ ) How to troubleshoot LDAP over SSL connection problems
For more information about Windows LDAP over SSL Requirements, visit the following Microsoft website:
Example Code for Establishing a Session over SSL (http://msdn.microsoft.com/en-us/library/aa366105(VS.85).aspx)

Appendix 4: Using LDP.exe to check for the new LDAP Control

  1. Start Ldp.exe.
  2. On the File menu, click Connect.
  3. Type the dnsHostName (FQDN) of the domain controller that owns the PDC Emulator role.
  4. Click OK.
  5. Check the right side pane for the “supportedControls” attribute.
  6. Check the values of supportedControls for the object identifier: "1.2.840.113556.1.4.2066".
On the right side pane of ldp.exe, it should provide rootDSE information for the successful connection.
Back to the top

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates
Back to the top
APPLIES TO
  • Microsoft Forefront Identity Manager 2010
Back to the top
Keywords: 
kbinfo kbsurveynew KB2443871
Back to the top