ScriptLogic Desktop Authority Password Self-Service version 4.7 Administrator Guide

Transcription

1 ScriptLogic Desktop Authority Password Self-Service version 4.7 Administrator Guide

2 Password Self-Service 4.7 Administrator Guide ii 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Licensed to ScriptLogic Corporation This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. Trademarks Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. DISCLAIMER The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

3 Password Self-Service 4.7 Administrator Guide iii DOCUMENTATION CONVENTIONS In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references. ement nvention ded text Interface elements that appear in ScriptLogic products, such as menus and commands. c text Used for comments. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. CONTACTING SCRIPTLOGIC Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida Sales and General Inquiries Technical Support Fax SCRIPTLOGIC ON THE WEB ScriptLogic can be found on the web at Our web site offers customers a variety of information: Download product updates, patches and/or evaluation products. Locate product information and technical details. Find out about Product Pricing. Search the Knowledge Base for Technical Notes containing an extensive collection of technical articles, troubleshooting tips and white papers. Search Frequently Asked Questions, for the answers to the most common non-technical issues. Participate in Discussion Forums to discuss problems or ideas with other users and ScriptLogic representatives.

4 Password Self-Service 4.7 Administrator Guide iv Contents WELCOME TO SCRIPTLOGIC PASSWORD SELF-SERVICE...1 SCRIPTLOGIC PASSWORD SELF-SERVICE OVERVIEW...1 DIFFERENT SITES FOR DIFFERENT ROLES...2 ADMINISTRATION SITE...3 CHECKLIST: CONFIGURING PASSWORD SELF-SERVICE...3 SPECIFYING GLOBAL SETTINGS...4 Enabling HTTPS...4 Configuring Self-Service Site Settings...4 CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN...14 Introducing Secure Password Extension...14 Deploying and Configuring Secure Password Extension...15 Uninstalling Secure Password Extension...24 Troubleshooting Secure Password Extension...25 MANAGING DOMAINS...26 Configuring Permissions to Access a ManagedDomain...26 Adding a Managed Domain...27 Managing Questions and Answers Profiles...28 Configuring Password Policies...31 Configuring Logon Security Options...43 Configuring Registration Notification and Enforcement...44 Delegating Help Desk and Administrative Tasks...48 Configuring Access to Self-Service Site...49 REPORTING...51 Setting Up Reporting Environment...51 Using Reports...52 DIAGNOSTIC LOGGING...56 BEST PRACTICES FOR CONFIGURING REPORTING SERVICES...56 Reporting Services default configuration...57 Reporting Services firewall issues...59 THE PASSWORD SELF-SERVICE DATABASE IN SQL SERVER...59 THE SCHEDULED TASKS IN PASSWORD SELF-SERVICE...60 GLOSSARY...62

5 Password Self-Service 4.7 Administrator Guide 1 Welcome to ScriptLogic Password Self-Service SCRIPTLOGIC PASSWORD SELF-SERVICE OVERVIEW ScriptLogic Password Self-Service is a Web-based application that provides an easy-to-implement and use, yet highly secure, password management solution. Users can connect to Password Self-Service by using their favorite browser and perform password self-management tasks, thus eliminating the need for assistance from high-level administrators and reducing help desk workload. The solution offers a powerful and flexible password policy control mechanism that allows the Password Self-Service administrator to ensure that all passwords in the organization comply with the established policies. Password Self-Service works with Windows domains, including domains operating in mixed mode. The key features and benefits of ScriptLogic Password Self-Service include: Global access. ScriptLogic Password Self-Service provides 24x7x365 access to the Self-Service site from intranet computers as well as via Internet from any most common browser. The solution supports flexible access modes and logon options. Strong data encryption and secure communication. The solution relies on industry-leading technologies for enhanced communication security and data encryption. Web interface for help desk service. Password Self-Service features Help Desk site which allows administrators to delegate help desk tasks to dedicated operators. These tasks include resetting user passwords, managing users' Questions and Answers profiles, and assigning temporary passcodes to users. x64 version of Password Policy Manager. An x64 version of Password Policy Manager module has been designed for use on domain controllers running an x64 Microsoft Windows Server operating system. event notifications. Administrators can configure event notifications which are sent by to designated personnel when specified events occur. Seamless OS integration. ScriptLogic Password Self-Service relies on intrinsic security databases only and is capable of managing domains across trust boundaries (no trust relationship required).

6 Password Self-Service 4.7 Administrator Guide 2 Powerful password policies. ScriptLogic Password Self-Service ensures that only passwords that meet administrator-defined policies are accepted. Unsuccessful authentication attempts are logged and the corresponding accounts are locked if necessary. Granular policy enforcement. Password policies are applied on a pergroup or per OU basis. Questions and Answers authentication mechanism. To reset passwords or unlock accounts, users are prompted to answer a series of questions for which users provide their secret answers when registering with ScriptLogic Password Self-Service. Enhanced user name search options. Users can be allowed to view their account attributes, such as user logon name, first name, display name, and SMTP address, when searching for their forgotten user names. A more specific search query returns the most relevant search results. Fault tolerance and scalability. ScriptLogic Password Self-Service is designed to work with network load balancing clusters and in a Web farm environment. DIFFERENT SITES FOR DIFFERENT ROLES The Web Interface allows multiple Web sites to be installed with individual, customizable configurations. The following is a list of configuration templates that are available out-of-the box. Administration Site is for individuals who are responsible for implementing password self-management through performing administrative tasks, such as configuring site-specific settings and enforcing password policies, to suit the specific needs of their organization. Help Desk Site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles. Self-Service Site provides users with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators and reducing helpdesk workload.

7 Password Self-Service 4.7 Administrator Guide 3 Administration Site CHECKLIST: CONFIGURING PASSWORD SELF-SERVICE When you have installed Password Self-Service, follow this checklist to configure the solution to implement automated and secure password management in an Active Directory domain. Step 1. It is strongly recommended that you enable HTTPS on the server where Password Self- Service is installed. 2. Prepare the account under which Password Self-Service will access the managed domain. 3. Register the managed domain with Password Self-Service. 4. Create language-specific question lists, and configure the Questions and Answers Policy if required. 5. If you want to provide access to the Self- Service site from the Windows logon screen, install the Secure Password Extension. 6. Configure settings that apply to all domains managed with Password Self-Service (such as site-specific defaults, notification settings, and profile update policy). 7. Grant the access permissions for the Help Desk site to help desk operators. You can also delegate access for the Administrative site to trusted Password Self-Service administrators. 8. Ensure that the screen resolution on client-side computers used to access the Web sites of Password Self-Service is set to a minimum of 800x600 pixels. The recommended screen resolution is 1024x768 pixels. 9. Ensure that all Password Self-Service users have JavaScript enabled in Microsoft Internet Explorer settings. 10. Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks. 11. If required, configure options for user registration notification and enforcement by specifying a registration schedule and enabling registration notification. Reference See Enabling HTTPS See Configuring Permissions to Access a ManagedDomain See Adding a Managed Domain See Managing Questions and Answers Profiles See Configuring Access to Self-Service Site See Specifying Global Settings See Delegating Help Desk and Administrative Tasks See Configuring Access to Self-Service Site See Configuring Registration Notification and Enforcement

8 Password Self-Service 4.7 Administrator Guide 4 Step 12. To allow users access the Self-Service site, explicitly specify the groups which are granted access to the Self-Service site. By default, no managed domain user can access the Self- Service site. 13. If you want to use Password Self-Service to enforce password policies, you first install Password Policy Manager (PPM) on all domain controllers in the domain. Then, create password policies and configure password policy rules. Reference See Installing Password Policy Manager See Creating and Configuring a Password Policy See Configuring Password Policy Rules SPECIFYING GLOBAL SETTINGS This section outlines the procedures required to configure site-specific settings that affect users and helpdesk operators in all domains registered with Password Self-Service. Enabling HTTPS We strongly recommend that you use HTTPS with ScriptLogic Password Self- Service. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web. To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support HTTPS connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at Configuring Self-Service Site Settings You can customize the behavior of the Self-Service site by specifying what password management tasks are allowed to users and configuring user notification. Configuring Security Settings By configuring the security settings, you define whether you want to let users do the following: Hide their security answers on the screen. See the domain name on the Self-Service site pages. See which of the personal questions users have answered incorrectly when authenticating.

9 Password Self-Service 4.7 Administrator Guide 5 To configure security settings for the Self-Service site 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Under Security settings, configure the following options as required: Option Hide users answers by default Allow users to hide their answers Prevent users from seeing whether questions are answered correctly Hide tools not available for user Use a security CAPTCHA image to prevent bot attacks Domain display options Users must agree that Password Self-Service will store their personal information Select this check box to have Password Self-Service display users' security answers as asterisks while they are typing in their answers. Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks. Select this check box to prevent users from seeing to which of their private questions they have provided incorrect answers when performing password self-management tasks using the Self-Service site. Select this check box to prevent users from seeing the tools which are not available for them. Select this check box to have the Self-Service site display a picture with characters and require the user to enter the characters on the picture. This feature provides enhanced protection against automated attacks. Use this section to specify whether Self-Service Site should show the managed domain name to the user. If you select the Show domain list option, the Self-Service site user will be able to see the list of the managed domains registered with Password Self-Service. Select the Hide domain list option to prevent users from seeing the list of domains. Depending on the legislation requirements, organizations may be required to explicitly obtain users consent to store their personal information which is available in Question and Answers profile. Select this check box to have the Self-Service site ask users to agree that Password Self-Service will store their personal information. 4. Click Save. Configuring Allowed Self-Service Site Tasks You can granularly configure the set of the tasks available for the Password Self-Service end-users on the Self-Service site. To configure the tasks available for the Self-Service site users: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab.

10 Password Self-Service 4.7 Administrator Guide 6 3. Click Allowed self-service tasks to expand this section, and then configure the following options as required: Option Allow users to register with Password Self-Service Allow users to unlock their accounts Allow users to reset their passwords Allow users to change their passwords Allow users to change Q&A profile Allow users to change their alert settings Allow users to use passcode Select this check box to allow users to register with Password Self-Service by using the Self-Service site. Select this check box to allow users to unlock their domain accounts by using the Self-Service site. Select this check box to allow users to reset passwords for their domain accounts by using the Self-Service site. Select this check box to allow users to manage passwords for their accounts in managed domains, and in connected data sources, by using the Self-Service site. Select this check box to allow users to manage Questions and Answers profiles for their accounts in managed domains by using the Self-Service site. Select this check box to allow users to specify events upon which they want to receive alerts. Select this check box to allow users to use passcode for creating Questions and Answers profile. 4. Click Save. Configuring Account Search Options To configure account search options: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Click Account search options to expand this section, and then configure the following options as required: Event Allow users to locate their accounts User properties to display in search results Select the checkbox to allow users to perform account search by using the Locate Account functionality of the Self-Service site. By selecting this option, you can specify the number of user accounts that are displayed in search results. To do this, specify the required number in the "Number of users to display in search results in the Locate Account page" field. Select check boxes next to the user account attributes that you want users to view in search results. You can select any of the following attributes: First name Initials Last name Display name Name Full name User logon name 4. Click Save.

11 Password Self-Service 4.7 Administrator Guide 7 Configuring User Notification You can configure a list of events upon which you want all registered users to receive notifications. For each of the events below, you can specify whether users may decide for themselves if they want to receive a specific notification of not. User's Q&A profile is updated User's Alert settings are updated User's account is unlocked User's password is reset User's password is changed User's Q&A profile requires update User's Q&A profile is locked User's password is expired To configure user notification 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Ensure that you have configured the outgoing mail server settings. To specify the SMTP server settings, use the procedure outlined in Configuring Outgoing Mail Servers Settings. 3. On the menu bar, click Settings, and then click the Self-Service Site tab. 4. Click User notification settings to expand this area. 5. Specify events upon which you want users to receive notifications, and whether you want users to be able to change your settings for each of the events, by doing the following: a. Click the link next to a notification event, and then select one of the following options: Option Disabled. Users can change this setting. Enabled. Users can change this setting. Permanently disabled. Permanently enabled. Select this option to disable user notification for the relevant event while allowing users to override this setting on a peruser basis. Select this option to have users notified about the relevant event, and allow to override this setting on a per-user basis. Select this option to disable user notification for the relevant event, and prevent users from changing this setting. Select this option to enable user notification for the relevant event, and prevent users from changing this setting.

12 Password Self-Service 4.7 Administrator Guide 8 b. Under Days to notify a user before their password expires, optionally set the number of days during which you want users to receive password expiration notifications, before their passwords expire. 6. Click Save. Note: If you enable the password expiration notification, then Password Self-Service will send password expiration notifications only to those users from all managed domains, who have registered with Password Self- Service by creating their personal Questions and Answers profiles. Configuring Help Desk Site Settings You can define what password management tasks the help desk operators are allowed or required to perform. The settings described in this section are applied throughout all Active Directory domains managed by Password Self- Service. To specify settings for the Help Desk site 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then select the Help Desk Site tab. 3. In the Allow helpdesk operators to section, configure the following options as required: Option verify user identity assign passcodes reset user passwords Select this option to allow helpdesk operators to verify user identity by using the Help Desk site. Select Yes to allow helpdesk operators to assign temporary passcodes for users who forgot their passwords while not being registered with Password Self-Service. Then, below this option you can specify the Passcode lifetime in minutes value, i.e. the period within which the passcode is valid. Select this option to allow helpdesk operators to reset user passwords by using the Help Desk site. Select the only after user identity verification option to force helpdesk operators to check user identity before resetting user s password. unlock user accounts require users to update their Q&A profiles Passcode lifetime, in minutes unlock users' Q&A profiles Select this option to allow helpdesk operators to unlock user accounts by using the Help Desk site. Select the only after user identity verification option to force helpdesk operators to check user identity before unlocking user account. Select this option to allow helpdesk operators to invalidate users' Questions and Answers profiles and to set a deadline for a user to update their Q&A profile. Specify how long a passcode issued by helpdesk operators to users is valid for users to create their Questions and Answers profile. Select this option to allow helpdesk operators to unlock users' Question and Answers profiles that are locked as a result of a sequence of failed attempts to provide the correct answers.

13 Password Self-Service 4.7 Administrator Guide 9 4. Configure the following options as required: Option Helpdesk operators must verify user identity by Allow helpdesk operators to require users to change their passwords at next logon Defines that helpdesk operators must verify a user's identity before resetting the user's password, or unlocking their account. To configure this option, select how you want operators to authenticate users: Answer to randomly selected mandatory question (user s answer is hidden). In this mode, the operator will ask a user for their complete answer to one of the mandatory questions specified in the user's Q&A profile. Answer to authentication question (user s answer is hidden). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and enter the answers on the identity verification page. Answer to authentication question (user s answer is visible). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and then compare them to the answers displayed on the identity verification page. Random characters of an answer to authentication question. In this mode, the operator will ask a user to tell the specified number of characters in the user's answers to the Help Desk authentication questions, and then type in those characters in the appropriate positions on the identity verification page. Select this option to allow helpdesk operators to force users to change their passwords at next logon. 5. Click Save. Configuring Outgoing Mail Servers Settings You can configure one or more outgoing mail servers. If there are several servers, Password Self-Service will first attempt to use the top one in the list. To add outgoing mail servers (SMTP) 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Notifications tab. 3. Select the Enable notifications option. 4. In the Mail Servers area, click Add.

14 Password Self-Service 4.7 Administrator Guide On the Add SMTP Server page, configure the following options: Option Server name Sender address This server requires authentication User Name Password Confirm password The server requires an encrypted connection (SSL) Type the SMTP server name. If the SMTP server uses the port which is different from the default SMTP port 25, you may specify the port using the following format: <server name>:<port number>where <server name> is the server name and <port number> is the port number used for SMTP communication. Type the sender's user name. Select if the SMTP server requires authentication. Type the user name under which Password Self-Service will access the SMTP server. Type the password for this account. Re-type the password. Select if the SMTP server requires an encrypted connection (SSL). 6. Click Add. 7. Follow steps 4-5 to add any additional SMTP servers. 8. Use the Move Up and Move Down buttons to change the order of the SMTP servers in the list. The order of the servers in the list specifies how Password Self-Service uses the servers to send notification mail messages. Password Self- Service will first attempt to use the servers at the top of the list. To remove a server from the list of outgoing SMTP mail servers 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then click the Notifications tab. 3. In the Mail Servers area select one o more SMTP servers to delete and click Remove. Configuring Alerts and Recipients You can configure Password Self-Service to send alert notifications to the specified administrators when the following actions are completed successfully or fail: Users change their Questions and Answers profiles Users unlock their accounts Users reset their passwords Users change their passwords Users' Questions and Answers profiles are locked Users change their personal alert settings

15 Password Self-Service 4.7 Administrator Guide 11 To specify alerts and recipients 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. Ensure that you have configured the outgoing mail (SMTP) server settings. 3. You can configure the SMTP server settings by using the procedure outlined in Configuring Outgoing Mail Servers Settings. 4. On the menu bar, click Settings, and then click the Notifications tab. 5. In the Recipients section, click Add and specify the address of the administrator you want to receive notifications. 6. Verify the changes you have made by selecting one o more recipients and sending a test message. 7. In the Events section, configure the following options: Option Q&A Profile created Q&A Profile changed Account unlocked Password reset Password changed Q&A profile locked Preferred language Select to notify when a user has created and/or failed to create their personal alert settings. Select to notify when a user has changed and/or failed to change their personal alert settings. Select to send notifications when a user has unlocked and/or failed to unlock their account. Select to send alerts when a user has reset and/or failed to reset their password. Select to send alerts when a user has changed and/or failed to change their password. Select to send alerts when a users' Question and Answers profile has become locked and/or has failed to lock. Select and then choose your preferred language for notifications from the drop-down list below. 8. Click Save. Customizing Templates for the Notifications Distributed by Password Self-Service You can customize the notification messages distributed by Password Self-Service to meet specific requirements in your organization. The notifications are sent either in plain text or as HTML. If you select the HTML, you can enhance the notifications by using HTML tags to add custom text formatting, hyperlinks, etc. To modify the notifications: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the menu bar, click Settings, and then select the Templates tab.

16 Password Self-Service 4.7 Administrator Guide In the Select language drop-down box, select the language for which you want to customize the notification templates. 4. In the Events column, click the event group you want to customize. 5. In the Template column edit the subject and the body of notification templates as required. When editing the notification templates, you can use the following parameters in the notification templates: Parameter %1 DNS domain name for managed domain. %2 User name (samacountname). %3 Error message. %4 Error code (HResult). %5 Reserved for internal use. %6 User IP address. %7 Current date in a user readable form. %8 Number of days until the deadline. %9 User display name. %10 User name of the Help Desk operator in the following format: <domain name>\<user name>. 6. In the Message format box, select the format to use for the notifications. You can select from two options either HTML or Plain Text. If you select HTML as the message format, you can add HTML markup tags to the templates to customize the notifications. 7. Click Save. Selecting the Languages for Invitation Notification You can specify one or more languages to use in the messages which invite users to register with Password Self-Service. If you select multiple languages, the invitation message will include several copies of the invitation one copy for each of the selected languages. To select the language(s) to use in invitation notification: 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create the language list, and then click the General tab. 3. On the General tab, in the User registration schedule section, click Specify notification language(s). 4. On the List of Languages for Invitation Notification page click Add. 5. In the Add Language(s) window, select one or more languages to use in the invitation notification message and click Add.

17 Password Self-Service 4.7 Administrator Guide By clicking the Move Up and Move Down buttons specify the order of the languages in the invitation message. The first language in the list will be used for the message subject. 7. Click Save. Configuring Profile Update Policy You can specify when users must update their Q&A profiles. For example, you can require users to update their Q&A profiles, if the question list has been changed. The policy affects all users managed by the Password Self-Service instance. To configure profile update policy 1. On the menu bar, click Settings, and then click the Profile Update Policy tab. 2. Configure the following options: Option Question list or Q&A policy has changed since Q&A profile creation The question user answered to register was modified or deleted User's Q&A profile contains fewer questions than required for registration User's Q&A profile contains fewer questions than required for password reset User's Q&A profile contains fewer questions than required for unlocking account User s answers are shorter than required User-defined questions are shorter than required User has specified the same answer for several questions User specified an answer which is a part of the corresponding question Select to have users update their Q&A profiles if the question list or the Q&A policy was modified, provided that users had already created or updated their Questions and Answers profile. Select to have users update their Q&A profiles if one or more questions which users answered to register was modified or deleted. Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions list longer than it was before users profiles were last updated. Select to have users update their Q&A profiles if you have added one or more questions required to reset password, thus making the list of such questions longer than it was before the users profiles were last updated. Select to have users update their Q&A profiles if you have added one or more questions required to unlock account, thus making the list of such questions longer than it was before users profiles were last updated. Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require. Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require. Select to have users update their Q&A profiles if they contain the same answer for different questions if the current settings specify the opposite. Select to have users update their Q&A profiles if they contain answers that are parts of the corresponding question if the current settings specify the opposite. Enabling this option will affect only those users whose answers are stored using reversible encryption.

18 Password Self-Service 4.7 Administrator Guide 14 Option User's answers are stored using reversible encryption Question list was made unavailable to users since Q&A profile creation Select to have users update their Q&A profiles if users answers are stored without reversible encryption if the current settings specify the opposite. Select to have users update their Q&A profiles if a question list which they used when registering was made unavailable to users. 3. Click Save. Users, whose Q&A profiles were marked as noncompliant, still can use their profiles to reset passwords and unlock accounts, but they will start receiving alerts saying that Q&A profiles must be updated according to the current password management settings. CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN It is very common for business users to forget their password and be unable to log on to the system. Password Self-Service allows users to securely and conveniently reset their forgotten network passwords, or manage their passwords in multiple enterprise systems, before even logging on to the system. To enable user s access to the Self-Service site from the Windows logon screen, Password Self-Service implements Secure Password Extension. Introducing Secure Password Extension The ScriptLogic Secure Password Extension is an application that provides one-click access to the complete functionality of the Self-Service site from the Windows logon screen. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service. The Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure the Secure Password Extension on end-user workstations in the managed domain, see Deploying and Configuring Secure Password Extension. The Secure Password Extension supports the authentication model in Windows Vista and Windows 7, and has been tested for compatibility with GINAs (Graphical Identification and Authentication DLLs) of the following systems: Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows 2003 Novell Client 4.9 for Windows NT/2000/XP and Windows 95/98 Identix BioLogon 3 IBM ThinkVantage Access Connections 3.81 Citrix MetaFrame Presentation Server 4.0 HP ProtectTools

19 Password Self-Service 4.7 Administrator Guide 15 In pre-windows Vista operating systems, such as Microsoft Windows 2000 or XP, the Secure Password Extension uses the GINA-based authentication model, and adds the Forgot My Password and the Manage My Password buttons on the Windows logon screen. On workstations running Microsoft Windows 7, the Secure Password Extension adds the Forgot My Password link to the Windows logon screen. By clicking these buttons and the link, users open the Self-Service site. When running under Microsoft Windows Vista, the behavior of Secure Password Extension is considerably different as compared to pre-windows Vista operating systems. The Secure Password Extension functionality is also subject to several limitations: You cannot enforce user registration by using the Secure Password Extension. For more information, see Configuring Registration Notification and Enforcement. You can access the Self-Service site only after you click the Switch User button on the Windows Vista Welcome screen. When users connect to the Self-Service site from the Windows logon screen, anonymous access is enabled and the functionality of Microsoft Internet Explorer is restricted, thereby preventing the actions that may pose a security threat. Once users open the Self-Service site home page from the Windows logon screen, they cannot access any other Web site, or open a new browser window or a context menu. Deploying and Configuring Secure Password Extension This section describes the prerequisites and steps for deploying and configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Self-Service. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension for installing on the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: ScriptLogic Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre-windows Vista, Windows Vista, and Windows 7 operating systems. ScriptLogic Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7.

20 Password Self-Service 4.7 Administrator Guide 16 You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. The prm_gina.adm administrative template file is located in the \Password Self-Service\Setup\Administrative Template\ folder of the installation CD. Before using the file, copy it from the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller. Follow the steps below to configure and deploy the Secure Password Extension on end-user computers. To deploy and configure the Secure Password Extension 1. Copy the required installation package (Secure Password Extension x86.msi or Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The MSI packages are located in the \ Password Self-Service\Setup\ folder of the installation CD. 2. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension. 3. Open the GPO in the Group Policy Object Editor, and then do the following: a. Expand Computer Configuration/Software Settings, right-click Software installation, and then select New Package. b. Browse for the MSI package you have copied in step 2, and then click Open. c. In the Deploy Software window, select a deployment method and click OK. d. Verify and configure the properties of the installation, if needed. 4. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Self-Service Site Location and Service Connection Points To enable users open the Self-Service site by clicking the Forgot My Password or the Manage My Password links on the Windows logon screen, you do not need to configure the URL path that points to a specific server where the Self-Service site is deployed because Secure Password Extension automatically locates the nearest Self-Service site. Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory.

21 Password Self-Service 4.7 Administrator Guide 17 When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self- Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance. Password Self-Service Realm Affinity In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating Self-Service site. You can force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service realm. Password Self-Service realm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service realm by installing a new Password Self-Service instance using the A replica of an existing instance option. To force Secure Password Extension to use only Password Self-Service from a specific realm, you must set the Secure Password Extension affinity for that realm. To set Secure Password Extension affinity for a Password Self-Service realm: 1. Open the Administration site of the Password Self-Service instance that belongs to the target realm. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain to which belongs the computer running the Secure Password Extension instance you want to bind. 3. On the General tab, select the contents of the Password Self-Service Realm Affinity ID box, right-click the selection and select Copy. 4. Open Administrative Tools (located at Start Menu Settings Control Panel). 5. Open Active Directory Users and Computers. 6. Right-click the managed domain name on the left pane and select Properties. 7. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 8. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add /Remove Templates. 9. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 10. Click Close to close the Add/Remove Templates dialog box. 11. Select Administrative Templates node, and then double-click the ScriptLogic Password Self-Service template on the right pane.

22 Password Self-Service 4.7 Administrator Guide Click Generic Settings in the left pane. 13. In the right pane, double-click Password Self-Service Realm Affinity. 14. Select the Enabled option on the Settings tab, and then right-click the Realm Affinity ID text box and select Paste. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Application of the updated policy to the computers in the managed domain may take some time to complete. Overriding Automatic Self-Site Location In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Self- Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below. To override automatic Self-Service site location: 1. Open Administrative Tools (located at Start Menu Settings Control Panel). 2. Open Active Directory Users and Computers. 3. Right-click the managed domain name on the left pane and select Properties. 4. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 5. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 6. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 7. Click Close to close the Add/Remove Templates dialog box. 8. Select Administrative Templates node, then double-click ScriptLogic Password Self-Service template on the right pane. 9. Double-click Generic Settings. 10. Double-click Specify URL to the Self-Service site. 11. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during ScriptLogic Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS.

23 Password Self-Service 4.7 Administrator Guide 19 Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server. 12. Click OK. 13. Double-click Override URL path to Self-Service site. 14. Select the Enabled option on the Settings tab. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Please note that application of the updated policy to the computers in the managed domain may take some time to complete. Customizing the Logo for Secure Password Extension For pre-windows Vista operating systems, you can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. The image must be a 417-by-58-pixel.bmp file. To deploy a custom logo for Secure Password Extension on end-user computers 1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run. 3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 4. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Password Self-Service. 5. Under ScriptLogic Password Self-Service, expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers. The local path you specify in these policy settings must be the same as in the startup script specified later in this section. 6. Expand Computer configuration/windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane. 7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window. 8. Click OK.