In Brief
Technically FastPass Password Manager™ is a set of .NET 2.0 based applications using ASP pages served from Microsoft Internet Information Servers (IIS) and implemented in a Service Oriented Architecture (SOA). Conceptually the FastPass Password Manager™ server is split into three major components:

• The Client Component
• The Server Component
• The Infrastructure Component

These three components communicate internally using encrypted web-services and can be installed on the same or on different physical servers.

Due to the fact that the product is a totally web based application there is no software installation requirement on the desktop client. On the server side also, the application is scalable in a way that it in small organizations can be put on top of an existing IIS server and in large organizations it can be spread over multiple servers giving the highest possible performance, reliability and security.

How does it work?
Basically the application can be configured to adapt to any number of requirements and security policies and can be used in many different scenarios with different authentication methods. The Challenge/Response authentication method is the most widely adopted by our customers.

Before going into a description of the various authentication methods, the features and a breakdown of the architecture let us first describe a scenario for the most important function that the application provides: The Password Reset function. When a user has forgotten his password and wants to perform the Password Reset operation, he must first of all provide a known user ID on a registered domain. The account that is identified using the provided information and the network from which the operation is per-formed decides a set of authentication methods that the user must pass through before he is permitted to continue with the password reset. The user is presented to one authentication method at a time and cannot either select between or skip the possible authentication methods.

If the user succeeds in responding correctly to the presented authentication methods the application will ask for the new password and then continue the process by performing an administrative password reset to a random generated password. The application will then try to perform a user password change by using the memorized random generated password as the old password and resets the password to the one which the user has provided. This last operation is performed as the user account performing the operation and this ensures that all AD group policies and all custom made password filters can reject the user selected password. If the password from the user gets rejected by the system, the user‟s account is still protected by the random generated password.

This description gives an outline of what the application is actually doing and what components the application is in touch with through-out its operation. To ensure the understanding - lets just repeat the steps once again:
1. Check if the user account exists and is not disabled in the AD.
2. Identify Authentication methods using group membership and IP-address.
3. Execute Authentication method(s).
4. Get new Password from user.
5. Reset Password for the account in AD as an administrative user.
6. Implement new Password as the requesting user and get direct response from AD group policies and implemented filters.

The architecture
The architecture of FastPass Password Manager consists as earlier described of three components:

• The Server Component
• The Client Component
• The Infrastructure Component

The Server Component
The core functionality of the product is implemented in the Server Component. Responsibilities include:

• Acceptance (authorization) of Client Component instances.
• Communication with the Client Component (SOA).
• Acceptance (authorization) of Infrastructure Component in-stances.
• Communication with the Infrastructure Component (SOA).
• Input/output to the central data storage (AD/AM).
• Configuration storage (XML files).
• Credential storage of system accounts (Encrypted files).
• Coordination of all transactions.
• Session control.
• Authentication based on utilization of Infrastructure component.
• Authorization based on users group memberships.

The Server Component is typically installed on a server together with the Infrastructure Component but can also be installed on the same physical server as the Client Component.

The Client Component
The presentation functionality of the product is implemented in the Client Component. The Client Component is restricted to communi-cate using the standards defined by the Server Component. Responsibilities include:

• Communication with the Server Component (SOA)
• Presentation of screens enabling users to execute the operations implemented by the Server Component.
• Local authentication of users if needed as in the Service Provider Edition.
• Credential storage of system accounts as needed in the Service Provider Edition (Encrypted files).
• Configuration storage if needed (XML files).
• Browser session control.

The Client Component is typically installed on a separate server but can also be installed on the same physical server as the Server and the Infrastructure Component.

The Infrastructure Component
The technology integration functionality of the product is implemented in the Infrastructure Component. This means that communication to and from almost all third parties that the product integrates with goes through the Infrastructure Component, including the communication to and from the Active Directory. The main purpose of the Infrastruc-ture Component is to make the technologies that the application builds on transparent and uniform to the Server Component. Respon-sibilities include:

• Communication with the Server Component (SOA).
• Transport of data to target systems.
• Identification of transport routes to target systems.
• Fault tolerance of transport to target systems.
• Authentication to the next-next point in the transport route.
• Credential storage of the next-next account information (Encrypted files).
• Configuration storage if needed (XML files).

The Infrastructure Component is typically installed on a server together with the Server Component but can also be installed on the same physical server as the Client Component. Furthermore the Infrastructure Component can be installed on servers that provide safe routes to the backend servers running the Active Directory or other user repositories.

The full architecture
The Server Component and the Infrastructure Component are in-stalled on a physical server and the Client Component is installed on another physical server. The Server Component stores data in a local AD/AM installation and utilizes the fault tolerant Infrastructure Component when needing information from the AD and this then delivers a route to the requested source (server).

The data stored in the AD/AM data store is best described as links to the real data (in the Active Directories) and the same goes for the data needed by the Password Manager server, such as the Challenge/Response data. Account status, passwords and any other information is always validated by connecting to the real user repository and no periodic synchronization is needed between the AD/AM data store and the Active Directories. Users are connecting their browsers to the Client Component that communicates with the Server Component using encrypted web-services. It is important to note that the Server Component, by utilizing the Infrastructure Component, has no binding to a single Domain or Domain Forest and that Multi Forest support is thereby a delivered feature.

The fault tolerant Infrastructure Component, the multi forest feature and a fully SOA based architecture are features that large organiza-tions today require in order to ensure a solid and reliable solution that has the flexibility and scalability to meet the requirements in today‟s ever changing business environments.

Multifactor authentication support
The FastPass Password Manager™ application supports several authentication methods and more will be added down the line. Currently the supported methods are:

• Username/password
• Challenge/Response questions
• Light Challenges (such as last 4 digits in Mobile number)
• Challenge Code delivered by SMS
• PIN Code delivered by Helpdesk staff (HD-PIN)
• Entrust Identity Guard Grid Cards

All authentication methods can be used either equally or stacked and thereby implement multifactor authentication. In conjunction with this security administrators can implement different settings for different users using their group membership and they are also able to implement different settings dependent on the network from where the operation is performed. Examples of this could be:

• A normal user was only requested to answer correctly on his challenges.
• An administrative user was requested to pass the Challenge/Response and the Challenge Code delivered by SMS when performing the operation from the corporate network.
• An administrative user was requested to pass the Challenge/Response, a Light Challenge and the Challenge Code delivered by SMS when performing the operation from an insecure network, e.g. the Internet.

The configurable multi-factor authentication feature can have a huge impact on the security implementation and should be considered be-fore implementation of FastPass Password Manager™. The impact of less secure authentication can be fatal thus enabling persons to authenticate and change the password of other users.

Service Provider Support
As described earlier the Password Manager Server Component is not coupled to a single AD and the Infrastructure Component enables the server to communicate with remote Directories in a reliable and secure way. Furthermore the FastPass Password Manager™ product currently supports six major European languages as well as supporting multiple organizations each having its own configuration, look-and-feel and utilization of Infrastructure Components. The feature is referred to as “Service Provider Support” but is also relevant to what is needed by large enterprises to operate its own subsidiary companies (with their own registered domains) from a central location. This offer is absolutely unique in the market.

One scenario utilizes two centrally placed servers. On the first computer the Password Manager Server Component is installed together with the Infrastructure Component (PM Gateway) and on the second computer the Password Manager Client and the Password Manager Client (service provider edition) is installed. Both servers have IIS running and all components are running as web-services communicating via SOAP over HTTP using SSL. The Password Manager Server has a local AD/AM configured where it holds information about enrolled users and their challenges. There is no direct relation between this AD/AM and the directories existing at the customer‟s sites but at the time of enrollment of a user where the user can authenticate to an account on a customer directory a link to that account is registered in the central AD/AM together with the challenges. All account operations are done at the customer‟s Active Directory and the Password Manager application does only the transporting of data but does not save or cache vital data such as account status or password. Access to the customer‟s directories is through the FastPass Infrastructure Components. SSL must be enabled on the Windows AD. This is typically not the default configuration but it is a require-ment for security reasons. More implementation scenarios are available upon request.

Enrollment Services
The key to a successful Password Management implementation is user involvement. Awareness of the solution is critical and to assist in this operation the Password Manager Server Component includes a feature referred to as Enrollment Services. Enrollment Services is a tool that can be configured to send notifications (e-mail or SMS) to users found in the Directories who has not yet enrolled themselves. The tool is configurable from the Administrator Client and various profiles can be set up so that enrollment is only forced in a manageable order.

A use case example of a configuration profile could send e-mails to users that are members of a Domain Administrators group who are currently not enrolled. This could be executed every Thursday morning in a 4 week period and end up with a reset of the password or a lock of the account. Another configuration profile could send e-mails to users who are members of a Location B Users group and still not enrolled. This could be executed every Friday morning. Every configuration profile can use various pre-configured messages or utilize its own custom messages. The Enrollment Service feature of the FastPass Password Manager™ product is a valuable feature during implementation to ensure all employees are enrolled.

Windows Client
Users may work from remote locations with only a single workstation or users may work in shifts so that no workstation is immediately available when a user has forgotten his password. To support this scenario the FastPass Password Manager™ product can also include a feature that extends the Windows GINA. The feature customizes the login dialog by putting a button on it which opens up a very restricted kiosk mode application that can only be used to connect to the FastPass Password Manager Client Component server. The application can be distributed using various software distribution methods where the installation is performed with administrative credentials.

Integrations with IDA Solutions
The functionality provided by FastPass Password Manager™ product does by no means compromise other Identity Management initiatives.

In continuation of the Password Reset scenario described earlier in this document if the user successfully changes the password it can be captured by mechanisms like the Microsoft Password Change Notification Service (PCNS) and propagated to a Microsoft Identity Integration Server (MIIS) which uses installed Management Agents (MA) for the delivery of the new password to connected systems. Alternatively it can be captured by the FastPass Password Account Manager™ that will distribute the new password to its known systems via the same Infrastructure Components that the Password Manager Server Component utilizes. It is possible to install either MIIS or FastPass Password Account Manager or both. The installation can be on one or on separate machines. The benefit of the hybrid deployment model is that a combination of MIIS and FastPassCorp‟s SOA technologies gives maximum coverage in heterogeneous environments that maybe as yet un-supported by "off-the-shelf" MAs from Microsoft. It must though be stressed that for FastPass Password Manager™ to effectively distribute passwords throughout the enterprise there is no dependency of a MIIS deployment.

Administration Client
Ease of administration and alignment to business process is a key factor in the design of the FastPass Password Manager™ product. This is especially visible in the Administration Client interfaces. The Administration Client organizes its settings by organization and derived hereof the initial resource to register is the organization, which has attributes such as Name, purchased number of seats, enrolled number of seats, business contact, technical contact, Admin-istrator list, and others. As soon as an organization is registered Security administrators can control the settings of the Password Manager applications for the specified organization. Some of the settings that can be configured are:

• Authentication profile settings.
• Action profile settings.
• Log settings.
• Notification settings.
• Enrollment Service settings.
• Client component settings.
• Infrastructure component settings.

The Administration Client is implemented just as the standard Client and authorization is handled by membership of AD groups.