Password Reset for Remote Users



Similar documents
Junos Pulse Instructions for Windows and Mac OS X

MaaS360 Cloud Extender

Deployment Overview (Installation):

Welcome to Remote Access Services (RAS)

Installation Guide Marshal Reporting Console

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

WatchDox for Windows User Guide

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Remote Setup and Configuration of the Outlook Program Information Technology Group

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

Learn More Cloud Extender Requirements Cheat Sheet

STIOffice Integration Installation, FAQ and Troubleshooting

April 3, Release Notes

Diagnosis and Troubleshooting

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

CallRex 4.2 Installation Guide

Installation Guide Marshal Reporting Console

Cloud Services MDM. Windows 8 User Guide

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment

Staff and Student VPN User Documentation

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Ten Steps for an Easy Install of the eg Enterprise Suite

ABELMed Platform Setup Conventions

Aras Innovator Internet Explorer Client Configuration

Serv-U Distributed Architecture Guide

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Aras Innovator Internet Explorer Client Configuration

E2E Express 3.0. Requirements

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Avatier Identity Management Suite

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

Cloud Services Frequently Asked Questions FAQ

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

ISAM TO SQL MIGRATION IN SYSPRO

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

Introduction to Mindjet MindManager Server

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Instant Chime for IBM Sametime Quick Start Guide

Configuring an Client for your Hosting Support POP/IMAP mailbox

BackupAssist SQL Add-on

Monitor Important Windows Security Events using EventTracker

FINRA Regulation Filing Application Batch Submissions

Thuraya Satellite Telecommunications Company. ThurayaGmPRS. Frequently Asked Questions. February 2007

USF Remote Desktop Gateway

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

ScaleIO Security Configuration Guide

AVG AntiVirus Business Edition

990 e-postcard FAQ. Is there a charge to file form 990-N (e-postcard)? No, the e-postcard system is completely free.

Pronestor Room & Catering

Connector for Microsoft Dynamics Installation Guide

Server 2008 R2 - Generic - Case

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

CSC IT practix Recommendations

WatchDox Server Administrator's Guide

IT Help Desk Service Level Expectations Revised: 01/09/2012

Security Guidance ArcGIS Server 9.3 Windows Security Requirements

Interaction Manager OFT 605 (Part1)

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Serv-U Distributed Architecture Guide

NETWRIX PASSWORD MANAGER

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Uninstalling and Reinstalling on a Server Computer. Medical Director / PracSoft

Integrating With incontact dbprovider & Screen Pops

Implementing SQL Manage Quick Guide

Connecting to

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

Using PayPal Website Payments Pro UK with ProductCart

Mobile Deployment Guide For Apple ios

Remote Desktop Tutorial. By: Virginia Ginny Morris

RSA SecurID Software Token Security Best Practices Guide. Version 3

Treasury Gateway Getting Started Guide

AvePoint High Speed Migration Supplementary Tools

Alexsys Team 2 Service Desk

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

VMware View Windows XP Optimization

Getting Started Guide

An Oracle White Paper January Oracle WebLogic Server on Oracle Database Appliance

Christchurch Polytechnic Institute of Technology Access Control Security Standard

KronoDesk Migration and Integration Guide Inflectra Corporation

User Manual Brainloop Outlook Add-In. Version 3.4

Organisational self-migration guide an overview V1-5 April 2014

Lab 12A Configuring Single Sign On Service

USF Remote Desktop Gateway

Ensuring end-to-end protection of video integrity

SaaS Listing CA Cloud Service Management

The ADVANTAGE of Cloud Based Computing:

Telelink 6. Installation Manual

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Transcription:

1 Passwrd Reset fr Remte Users Curin prvides a cmpnent fr the PasswrdCurier Passwrd Prvisining System that manages the lcal passwrd cache in cnjunctin with self-service passwrd reset activities. The slutin prvides a seamless experience fr the end user, whether they are a user wh is cnnected t the crprate netwrk r a remte user.

Passwrd Reset fr Remte Users Table f Cntents 1. INTRODUCTION... 2 2. LOCAL PASSWORD CACHE... 3 2.1 ACCESSING NETWORK RESOURCES... 3 2.2 LOGON WHEN DOMAIN IS UNAVAILABLE (REMOTE USER)... 3 3. DEPLOYMENT CHALLENGES... 3 3.1 WEB-BASED SELF-SERVICE CHANGE... 3 3.2 REMOTE USER SELF-SERVICE RESET... 4 4. HOW DOES IT WORK... 4 5. DEPLOYING PASSWORDCOURIER... 5 5.1 WEB-BASED SELF-SERVICE CHANGE... 5 5.2 REMOTE USER SELF-SERVICE RESET... 5 5.2.1 Desktp Deplyment Steps... 5 5.2.2 Remte User Experience... 7 5.3 DISTRIBUTION METHOD... 8 6. TRAINING AND ADOPTION... 8 ABOUT COURION... 9 Table f Figures FIGURE 1 UPDATING THE LOCAL PASSWORD CACHE... 4 FIGURE 2 - KIOSK ACCOUNT... 6 FIGURE 3 - PROFILELIST REGISTRY KEY... 6 FIGURE 4 - KIOSK ACCOUNT PROFILE INFORMATION... 7 FIGURE 5 - CHANGE THE SHELL... 7 1. Intrductin Curin prvides a cmpnent fr the PasswrdCurier Passwrd Prvisining System that manages the lcal passwrd cache in cnjunctin with self-service passwrd reset activities. The slutin prvides a seamless experience fr the end user, whether they are a user wh is cnnected t the crprate netwrk r a remte user. The lcal desktp passwrd cache in Micrsft Windws is used t streamline the lgn prcess and use f credentials n the desktp. Fr a smth end user experience, interactin with the lcal passwrd cache must be cnsidered when deplying PasswrdCurier. The mst seamless end user experiences with passwrd management incrprate elements that manage the lcal passwrd cache. Several passwrd reset deplyment scenaris with lcal cache cnsideratins are discussed in this dcument. 2

Passwrd Reset fr Remte Users 2. Lcal Passwrd Cache The lcal passwrd cache in Windws simplifies the end user experience fr netwrk access and netwrk lgn. The cache itself resides n each Windws system where users lgn interactively. By default the last 10 lgns are cached and stred in a prtected area f the Windws registry and in prcess memry. The Windws perating system manages the lcal passwrd cache. Fr example: an interactive lgn adds a cache entry an end user passwrd change initiated with ctrl-alt-del updates the passwrd cache. 2.1 Accessing Netwrk Resurces When access t a netwrk resurce is requested by a user, the credentials (username and passwrd pair) are retrieved frm the cache (if they are stred) and prvided t the resurce. This remves the need t interactively prmpt the user fr their credentials each time a netwrk resurce is requested. 2.2 Lgn When Dmain is Unavailable (Remte User) Users may be authenticated against the cached credentials rather than the Windws dmain. This is mst useful when the user is remte and netwrk cnnectivity has nt been established t the dmain r when the dmain is unavailable. Lgn verifies the username/passwrd pair against the cached credentials, lgs the user n, and grants them access t the Windws Desktp fr their dmain accunt. 3. Deplyment Challenges PasswrdCurier administratrs must cnsider hw passwrd management peratins interact with the lcal passwrd cache in a deplyment. 3.1 Web-Based Self-Service Change Passwrd changes initiated with the PasswrdCurier Web Access Optin need t interact with the lcal passwrd cache when the Windws accunt is lgged n. Withut the prper management f the cache, ld credentials that are resident in the cache are presented when a netwrk resurce is accessed. Because the credentials are ld (invalid), authenticatin fails, and the accunt may becme lcked ut with repeated access attempts. Fr example: Chris Smith is lgged int the dmain CORPDOMAIN using accunt csmith with passwrd abcd1234 Chris initiates a synchrnized passwrd change in PasswrdCurier using the web access ptin: Chris changes the passwrd fr CORPDOMAIN\csmith t wxyz7890. The passwrd change fr CORPDOMAIN (and ther targets) succeeds. At this pint the dmain passwrd and the cache passwrd are ut f sync: The passwrd in CORPDOMAIN is wxzy7890 The passwrd in the desktp lcal cache is abcd1234. Chris launches Micrsft Outlk : Micrsft Outlk presents the ld cached credentials t the Exchange Server The authenticatin fails, and the invalid lgn attempt cunt is incremented. This prcess repeats until the csmith accunt is lcked ut. 3

Passwrd Reset fr Remte Users 3.2 Remte User Self-Service Reset Remte users typically lgn and authenticate against credentials in the lcal passwrd cache t gain access t their desktp. Then they establish VPN cnnectivity t the dmain and netwrk resurces. In this scenari, the Windws dmain is nt available prir t lgn. If the user frgets the passwrd (as stred in the lcal passwrd cache), they cannt lgn and cannt get t a desktp. Hence they cannt access an autmated slutin. They have a few ptins: The user may lgn using a different lcal accunt The user may lgn with a different dmain accunt that is cached The user may wait until the system is cnnected directly t the crprate netwrk (may wrk fr laptps but nt fr remte ffices) Self-service reset may be initiated n the telephne. But telephne-based slutins reset the passwrd in the Windws dmain, but d nt update the passwrd stred in the lcal cache. 4. Hw Des It Wrk Curin prvides an ActiveX cntrl (CurLcalCntrl) that manages the lcal passwrd cache during a passwrd reset actin. The cntrl is incrprated int the Web Access Optin fr PasswrdCurier. After a successful reset, the CurLcalCntrl is laded in the web brwser that is running n the user s desktp. The cntrl uses a Windws API call t cmmunicate with the Windws dmain where the reset ccurred and update the lcal passwrd cache. NOTE: the CurLcalCntrl requires netwrk cnnectivity t the Windws dmain cntrller, whether thrugh a VPN cnnectin r thrugh a hard wired cnnectin. Als, the web brwser security settings must allw the CurLcalCntrl (ActiveX) t execute. The fllwing scenari illustrates the use f the Web Access Optin. Figure 1 Updating the Lcal Passwrd Cache 4

Passwrd Reset fr Remte Users 5. Deplying PasswrdCurier 5.1 Web-Based Self-Service Change This scenari is easily slved. As described in the previus sectin, the CurLcalCntrl is used with the PasswrdCurier Web Access Optin t update the lcal credential cache n the desktp where the web brwser is running. The user is already lgged n. A successful web-based reset is executed n the Windws dmain accunt. CurLcalCntrl updates the cache n the desktp where the brwser is running, fr the dmain accunt. The user cntinues their day-t-day activities withut interruptin f service. 5.2 Remte User Self-Service Reset Remte users in need f a lcal cache reset face a unique challenge: they d nt have access t the Windws dmain cntrller. A kisk apprach is used t address this prblem. Lg in with a lcal accunt (kisk accunt) that has limited access. Netwrk cnnectivity t the dmain cntrller is established (required by the CurLcalCntrl). The Internet Explrer brwser is started in kisk mde and launches PasswrdCurier. CurLcalCntrl is used in the same fashin t update the lcal passwrd cache. 5.2.1 Desktp Deplyment Steps Cnfiguratin steps are needed n each system that supprts passwrd reset fr remte, discnnected users. Successful adptin requires that emplyees be aware f the slutin and trained n hw t use it. This is discussed further in the next sectin f this dcument. 1. Create a lcal accunt n the desktp system with limited privileges (least privilege). 2. Set the prperties n the accunt s the user cannt change the passwrd and the passwrd shuld nt expire. Yur security plicy determines whether a passwrd is required. 5

Passwrd Reset fr Remte Users Figure 2 - Kisk Accunt 3. Determine the security identifier (SID) f the kisk accunt. Lgin as the kisk user, in this example curinreset. Use the registry editr t find the SID f the kisk accunt. View HKLM\Sftware\Micrsft\Windws NT\CurrentVersin\PrfileList. Figure 3 - PrfileList Registry Key 4. Brwse the SIDs, and use the data in the right pane t find the kisk accunt. 6

Passwrd Reset fr Remte Users Figure 4 - Kisk Accunt Prfile Infrmatin 5. Cnfigure the kisk accunt t launch a web brwser in kisk mde immediately after successful lgn, making nly the PasswrdCurier web pages available. Use the registry editr t pen the SID fr the kisk accunt under HKEY_USERS. HKEY_USERS\Sftware\Micrsft\Windws NT\CurrentVersin\WinLgn Create a new string value under the SID named Shell. Add a value fr Shell that starts Internet Explrer in kisk mde and lads an initial web page fr PasswrdCurier. C:\Prgram Files\Internet Explrer\iexplre.exe k https://<<url>> NOTE: duble qutes are required because f spaces in the pathname. Figure 5 - Change the Shell 6. Define a lgin script that establishes netwrk cnnectivity t the dmain cntrller. Typically it will create a VPN cnnectin. 7. Verify that executin f the CurLcalCntrl ActiveX cntrl is allwed. 8. Test the kisk accunt with PasswrdCurier. 5.2.2 Remte User Experience The remte user cmmunity must be trained t fllw these steps t initiate a reset f their cached passwrd. In this scenari, Chris Smith (ur emplyee) is traveling with a laptp and has frgtten the cached passwrd. Chris is cnnected t the Internet cnnectin in a htel. 1. User Chris Smith (csmith) attempts t lgin with the CORPDOMAIN\csmith accunt, but has frgtten the passwrd, r the passwrd is nt cntained in the lcal cache. 2. Chris cannt access the Windws desktp, and des nt have access t the brwser. 7

Passwrd Reset fr Remte Users 3. Chris culd initiate a reset ver the telephne, but this reset des nt update the cache n the laptp in the htel rm (i.e., n cnnectivity t crprate resurces). 4. Chris lgs in with a lcal accunt named MYLAPTOP\reset. N passwrd is needed. a. The accunt lgs in. b. A script is run t silently establish a VPN cnnectin. c. The brwser is launched, pinting t the PasswrdCurier web pages. 5. Chris authenticates and selects the crprate dmain, CORPDOMAIN fr reset. 6. Upn a successful reset, the CurLcalCntrl is dwnladed and updates the laptp s lcal passwrd cache with the new passwrd. 7. Chris uses ctrl-alt-del t lgut a. An alternate apprach autmatically lgs ut after the reset status is shwn in PasswrdCurier. 8. Chris lgs in again with CORPDOMAIN\csmith and the new passwrd. a. Lgin is successful because the cache has been updated. 9. Chris prceeds with the nrmal activities such as launching the VPN, starting Outlk and accessing netwrk drives. 5.3 Distributin Methd Windws XP Users will require "Enable Autmatic prmpting fr ActiveX cntrls" t be set in the security ptins fr Internet Explrer t dwnlad the cntrl. If this is nt enabled, the dwnlad message bar frm Micrsft frces a page refresh t dwnlad the cntrl. Recmmended distributin methds: 1. Distribute the cntrl via Active Directry plicy. 2. Distribute the cntrl with Direct! via a silent installatin. A script which distributes the cntrl must cntain the fllwing: cpy CurLcalCntrl.dll t system32 cpy CurLcalMsg.dll t system32 regsvr32 /s CurLcalCntrl.dll Windws 2000 Users require 'act as part f the OS' Grup Plicy settings. 6. Training and Adptin Successful adptin f an autmated slutin requires that emplyees be aware f the slutin and trained n hw t use it. It is nt sufficient t deply the slutin. The mst benefit and ROI is achieved when the slutin is widely used and expensive calls t the supprt center are avided. Curin s Self-Service Attainment (SSA) Prgram prvides a cmprehensive set f guidelines, cncrete actins and prfessinal supprt t accelerate end user adptin f yur self service applicatins. Typically SSA (prmtin, educatin and training) targets bth the users f the self-service slutin and the supprt staff emplyees wh typically wrk with the end user cmmunity. 8

Passwrd Reset fr Remte Users Trademarks (c)1996-2008 by Curin Crpratin. All rights reserved. Curin, the Curin lg, AccuntCurier, CertificateCurier, PasswrdCurier, and PrfileCurier are all registered trademarks f Curin Crpratin. Enterprise Prvisining Suite, AuditLink, DIRECT!, CmplianceCurier, Dynamic Cmmunity, the ez Install lg, IdentityLInk, IdentityMap, Plicy Publisher, PlicyLink, AssetLink, and ServiceLink are trademarks f Curin Crpratin. Micrsft Crpratin, Micrsft Windws 98, 2000, Micrsft Windws NT, Micrsft Excel, Micrsft Access, Micrsft Internet Explrer, and SQL Server are either registered trademarks r trademarks f Micrsft Crpratin in the United States and/r ther cuntries. Micrsft is a U.S. registered trademark f Micrsft Crp. All ther prducts and cmpanies mentined in this dcument may be the trademarks f their assciated rganizatins. ABOUT COURION Curin s award-winning Access Assurance slutins are used by mre than 450 rganizatins and ver 12 millin users wrldwide t quickly and easily slve their mst cmplex identity and access management (passwrd management, prvisining, and rle management), risk and cmpliance challenges. Curin s business-driven apprach results in unparalleled custmer success by ensuring users access rights and activities are cmpliant with plicy while supprting bth security and business bjectives. Fr mre infrmatin, please visit ur website at www.curin.cm, ur blg at http://blg.curin.cm/, r n Twitter at http://twitter.cm/curin. Cpyright 2008 Curin Crpratin. Curin, the Curin lg, Enterprise Prvisining Suite, AccuntCurier, RleCurier, CmplianceCurier, PasswrdCurier, PrfileCurier, and CertificateCurier are registered trademarks r trademarks f Curin Crpratin. All ther cmpany and prduct names may be trademarks f their respective wners. PWCRU001-05-08 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information