Dovestones Software

Active Directory Software and Services

AD Self Password Reset Documentation

Last updated 9 November 2018 

Contents:
Introduction
Installation
Basic Configuration
Using HTTPS
General Settings
Reset by Questions
Reset by SMS
Reset by Email
Access Control
Change Password
Helpdesk Feature
Expiry Notifications
Password Policies
Custom Look
User Enrolment
Password Reset
Changing Password
Help

 

Introduction

Users forgetting their passwords is a common headache for IT departments. AD Self Password Reset allows your users to safely reset their own password without calling the IT helpdesk.
AD Self Password Reset includes a number of ways to help reduce the pain of forgotten passwords and locked out users.
Password Expiry Reminder emails prompt users to change their password before it expires which can help to reduce the number of locked out users.
Should users forget their password Users can reset it by answering a number of questions or receiving a reset code via SMS message to their mobile.
We’ve added a number of other useful features, one such feature is ‘Helpdesk’. This allows the ‘Helpdesk Group’ to reset the passwords of the ‘Managed Users Group’. An ideal scenario for this is teachers being given the ability to reset their students’ passwords right there in the classroom, no need to call the helpdesk.
Thanks to your feedback we’re improving AD Self Password Reset all the time, please keep your feedback coming.

Installation

To install the program, follow the steps below.

  1. Double click the ADSelfPasswordResetSetup Installer
  2. Begin the installation. Click Next >
  3. Select the website where you want to install AD Self Password Reset, the Application will be installed in a sub-folder of the website (e.g. C:\intepub\wwwroot\PasswordReset). Then select an Application Pool for the program to use or type the name PasswordReset. Click Next.
  4. At the end of the installation wizard choose ‘Launch AD Self Password Reset Configuration’ to run the Configuration exe.
  5. Finally click Finish

Removal

To remove the program, follow the steps below.

  1. Go to Add/Remove Programs (Settings > Control Panel)
  2. In the list of currently installed programs locate AD Self Password Reset
  3. Click the Remove button on the right.

Basic Configuration

Before the application can be used there are three items that need configuration, these are found on the ‘Connection’ tab in the Configuration program.

To do this follow the steps below.

  1. Click the ‘Add Domain’ button to add a connection to Active Directory, specify a Domain, Domain Controller and a user that has sufficient permissions to reset users passwords.
  2. Click the Test button to confirm a successful connection to Active Directory, then click OK. If you receive a ‘Access Denied’ error message try running the Configuration program using ‘Run As Administrator’.
  3. Under Database Encryption enter a password to be used to encrypt the database. Make a note of this password somewhere secure as should you need to recover the database you will need it. Click Save.
  4. Under ‘Database’ is the connection string used to connect to the database. By default the program will use the included SQL Compact database which should be sufficient for most customers. If you would prefer to use an external SQL server specify a connection string in this box and click Save followed by the Prepare Database button. The user in the connection string will initially require the DB Owner role to create the necessary tables.

Initial configuration is now complete; you can continue to configure the program or perform some initial tests by going to the URL where the program is installed e.g. http://serverName/PasswordReset.

Using HTTPS

We strongly recommend you use SSL to encrypt the traffic when live but this is not required. You can test the program using HTTP if you are testing internally. Once live we do recommend you install a SSL certificate so the web site is accessible using HTTPS.The page below explains how to enable HTTPS in IIS. You can find other examples of how to enable https and add an SSL certificate can be found online.

https://support.microsoft.com/en-gb/help/324069/how-to-set-up-an-https-service-in-iis

General Settings

On the ‘Settings’ tab in the Configuration program you will find a section labelled ‘General’.

On the left are options that enable or disable program features. For example, unchecking ‘Allow users to unlock their accounts’ will remove this option from users.

On the right are options that enable or disable minor features such as masking user passwords as they enter them or hiding the domain selection drop down.

Reset by Questions

Should users forget their password they can reset it by answering a number of questions only the know they answer to. The administrator can decide how many questions need to be answered successfully before a user can reset their password.

To reset their password by answering questions users need to first ‘Enrol’, this involves first verifying their identity by authenticating with their current username and password and second choosing which questions they want to be asked and providing answers to those questions.

The administrator can choose which quest questions users can choose from and how many questions your users will be asked during enrolment and how many questions they will need to answer to reset their password.

The default questions can be changed, removed or added to. There is also the option to allow users to enter a custom question, this allows users to create their own question which may be unique to them.

Choosing Questions

Pay close attention to the type of questions the users can choose, take care not to choose questions were the information is easily learned, for example asking, ‘Where colour is your car?’ is easily learned. A more secure question to ask would be ‘Where did your parents meet?’ as this could be a city, location or an event. Allowing the user to create their question can add security as the user may ask a question only they could ever know the answer to. The user is limited to creating just 1 question to ensure they don’t create too many easily guessable questions.

Pre-enrolment

Whilst it is recommend users enrol themselves and answer their own questions in some circumstances such as  education environments you may need to enrol users in bulk. You can bulk import users using the included program PasswordResetPrePopulater.exe, there is an included csv file which can be used as a template.

Reset by SMS

The SMS mode allows users to reset their password without the need to enroll. If the user has a mobile number stored in Active Directory then when the user goes to Reset their password a message is sent to their mobile containing a password reset code. The user is then prompted to enter the code, if the correct code is entered the user can reset their password.

Require users to enter the last 4 digits of their mobile number

When the option ‘Require users to enter the last 4 digits of their mobile number’ is checked users will be asked to confirm the last 4 digits of their mobile number before they can proceed.

Country Code

If the users mobile number stored in Active Directory does not contain a country code then you can enter a country code here.

Use SMS for existing enrolled users

The option ‘Use SMS for existing enrolled users’ will force all enrolled users to use SMS rather than answering questions. This is ideal for customers who already have enrolled users and want to switch to SMS only. If the option is unchecked enrolled users will be asked to answer questions when they click Reset and new users who have a mobile number stored in Active Directory will use SMS. This helps if you want some users to use questions/answers (if they don’t have a mobile) and you want some users to use SMS (they don’t need to enroll).

Twilio Account

To send the SMS messages the program uses Twilio a global SMS service. A free Twilio account for testing can be created at twilio.com. Twilio offer a trial to all customers who sign up, which includes a free balance for you to experiment with. Getting a Twilio API key is straight forward, simply register with Twilio, once registered locate Authy in the menu and add an ‘Application’, give the application a friendly name such as PasswordReset then copy the API Key from the Settings section of the Application you created and paste it into the API Key text box on the SMS tab.

You will also need to enter your Account SID and Auth Token values which you can find on your Twilio dashboard.

By default the program send the SMS message to the number stored in the mobile field. This attribute can be changed should the number be stored in another attribute.

Debugging SMS

Whilst testing you may find you aren’t receiving the SMS messages, there are a few reasons for this. Enabling the ‘Debug’ option on the SMS tab gives you a little more information should the program not be able to successfully send the SMS message. When it is working as expected you can disable this option.

Email Settings

When a user enrols, resets or changes their password they are sent an email confirming the change has taken place. On the Email tab you can configure settings for your email server. The password expiry notifications are also sent via email. Enrolment reminders sent via the admin page also require an email server to be configured.

Enter the details of your mail server, the example below is using Office 365 but this could be your local Exchange server or another SMTP server.

Email Templates

The emails that are sent to the user when they enrol, reset or change their password can be customized via the Interface tab in the configuration program. The email templates files are located in the App_Data folder (typically c:\inetpub\wwwroot\PasswordReset\App_Data\).

Reset by Email and Email Verification

If  users have forgotten their password and you don’t want them to enrol (i.e. Answering Questions) and you don’t want to use SMS then a third option is to allow users to reset their password via email. This works in a similar way to the common ‘I’ve forgotten my password’ you find on most web sites. If the option ‘Allow users to reset password using email verification’ is enabled then when users click the ‘Reset’ button (you can link directly to /reset) and enter their username, an email is sent to the address stored in the ‘mail’ attribute (in later releases you will be able to specify a different attribute). The user clicks the link in the email and they are redirected to a page were they can enter a new password.

Include Questions and Answers in addition to email verification

After the user clicks the link in the email you can ask them to answer questions before they can reset their password, this does require the user has previously enrolled. To enable this check the option ‘Include Questions and Answers in addition to email verification’.

Ask for email address during enrolment

Should you not have your users email address stored in Active Directory then you can ask the user for their email address as they enrol. Their email address is then saved to the mail attribute in Active Directory, this then allows you to enable the ‘Allow users to reset password using email verification’.

Ask for mobile number during enrolment

Should you not have your users mobile number stored in Active Directory then you can ask the user for their number as they enrol.

Access Control

For additional security the Access Control tab allows you to control which users can use the program. You can specify which groups or OUs (Organizational Units) are allowed or which groups or OUs (Organizational Units) are denied use. By default all users can use the program.

Expiry Notifications

When a user’s password is due to expire they can be notified via email, this may prevent them from forgetting their password in the first place. When the password reminder email is sent the user can click a link in the email which redirects them to the ‘Change your Password’ page (email templates can be customized via the Interface tab). You can set the frequency users are notified their password will expire. Expiry notifications can be disabled should you not want to use this feature.

Reminders

Via the admin page (http://localhost/passwordreset/admin) you are can see who and who hasn’t enrolled. You can send users an email reminding them to enroll. Note the admin page can only be accessed via a URL that contains the server name or IP address (http://localhost/.., http://servername/.., http://10.0.0.5/..).

By default only members of the groups listed in the web.config file can access the admin page.

<add key=”Administrators” value=”Administrator,BUILTIN\Administrators,Domain Admins,ADSelfPasswordResetAdmins,ADSelfPasswordReset” />

User Lockout

Should a user repeatedly provide incorrect answers the program can prevent further attempts at guessing the answers by locking the user for a specified amount of time. On the User Lockout tab you specify how many failed attempts would prevent access and how soon they are allowed to try again. To prevent scripts being run to gain access use Captcha tab.

Password Policies

By default, the program will ensure passwords being set conform to the domain password policy, you can disable this check should you need to on this tab.
To prevent users using the same password continuously you can enable the password history feature. This forces the user to choose a different password each time.

To prevent users using the same password continuously you can enable the password history feature. This forces the user to choose a different password each time.

The Password Guidance options provides a user with visual feedback about the strength of their password. The Password Guidance isn’t linked to the password policies that exist in Active Directory, it can be enabled to encourage users to set a stronger password. The password the user specifies will need to meet the password policies you have in place if Password Guidance is enabled or not.

Helpdesk

You can allow a specified group of users the ability to change the password of another group of users. The feature is ideal for teachers as they can reset students passwords so there is no need for students to enroll or call the IT department, students don’t need to be enrolled for the tutor to use this feature. It can also be used by Helpdesk staff so they don’t need to access Active Directory to reset passwords. To use this feature, add the name of both groups and click Add and then Save.

Enabling the Helpdesk feature will add a button to the main page, the Helpdesk/Teacher button can be used by members of the Helpdesk group, other users will be denied access. You can change the text shown on this button on the Interface tab.

Captcha

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to determine whether or not the user is human.
To use CAPTCHA you will first need to register with Google’s free reCAPTCHA service to obtain a public and private key. After registration you need to the site address where users will access AD Self Password Reset e.g. http://internal.domain.com, you will then be given a public and private key, copy these keys and paste them into the corresponding text boxes and click Save.

The CAPTCHA is shown when a user tries to reset their password or unlock their account. The CAPTCHA is shown before the user enters any details other than their username to ensure the user is human before attempts to answer questions are made.

Customizing the Interface

All the text seen by users (buttons, labels, colours and messages) can be changed via the Interface tab, you can also add a logo and change the colours used on the buttons and header. The logo should be 185px wide by 60px high and no larger than 30kb.

User Enrolment

Unless you are using SMS or Email verification modes your users will need to enroll before they can reset their passwords. Enrollment only takes a few minutes and involves entering their username and password to confirm the users identity and then answer a number of questions. The Change Password option doesn’t require enrollment.

Which questions the user can choose from and how many they need to answer to enroll are defined by the administrator via the Settings tab in the Configuration program.

To enrol your users will need to visit the main page and click Enroll or you can link directly to the enrolment page, perhaps in an email.

E.g.
http://server/PasswordReset/enroll
http://10.0.0.1/PasswordReset/enroll

  1. User clicks Enroll.
  2. User enters their username and password to verify the identity.
  3. User selects the questions and enters their answers. By default the user answers 4 questions but this can be changed via the Settings tab. On the Setting tab there is an option to allow users to create their own question, the option limits the user to creating just one custom question.
    Each question and answer needs to be unique, after the user has successfully selected and answered each question clicking Next will complete the enrolment. The user is then able to reset and change their password at any time. If you have specified an email server the user will receive an email confirming enrolment.

User Password Reset

  1. To reset a password, the user clicks the Reset Password button (the text can be changed via the Configuration program) or visits the URL http://server/passwordreset/reset.
  2. The user enters their username, if the Google Recaptcha has been enabled the user will need to pass the Recaptcha check.
  3. The user then answers questions that are randomly chosen by the program and clicks Next.
  4. After successfully answering the questions the user can then enter a new password.
  5. The user will see confirmation that their password was changed successfully.

Unlock Account

  1. If the users account is locked, then the user can unlock their account by choosing Unlock Account from the main page or visiting the URL http://server/Unlock
  2. The user enters their username, if the Google Recaptcha has been enabled the user will need to pass the Recaptcha check.
  3. The user then answers questions that are randomly chosen by the program and clicks Next.
  4. After successfully answering the questions the user will receive confirmation their account was unlocked successfully.

Change Password

  1. To change their password the user chooses Change Password from the main page or visiting the URL http://server/changepass
  2. The user enters their username and current password and a new password and then clicks Next. If their new password successfully meets the password policy the password is changed.

Help and Support

If you require any help installing or configuring AD Self Password Reset please contact support.