MICROSOFT ACTIVE DIRECTORY SELF SERVICE PASSWORD RESET

See 4 steps to reach 90%+ adoption rate for on-premise or cloud solution [close to 2 million users] and the configuration and security features of the leading password solution - FastPass.

Self service password reset is one of the most profitable self service solutions any support organization can initiate. About 20-30% of all calls to a service desk are related to passwords. Improved end-user service level and reduced workload are attractive for any service desk manager and IT-operations manager. The prerequisite for success is however that users accept and use the self-service password reset tool.

FastPass offers functionality and a best practice guide that secures our customers more than 90% adoption rate.

The 4 steps to password self service reset success

1. ENROLLMENT

  • Force where possible
  • Automatic e-mails for the rest

2. ACCESS EVERYWHERE

  • From Domain PC: Pre Windows credential provider
  • From external domain PC’s: With PC password cache reset
  • WEB-portal for guest PCs
  • Responsive design for all smart devices

3. SERVICE DESK ASSISTANCE

  • When users call anyway the service desk agent must have assistance for authenticating users
  • Users should have a PIN to re-enroll in self-service and not a password

4. CONVENIENT AND SECURE AUTHENTICATION

Question / answer method

  • Private and semi-private answers
  • Standard questions
  • Individual personal questions
  • Bulk update of corporate data is possible, but not recommended

PIN-code push

  • For mobile phones
  • For e-mails (private)

Smart cards

Commercial methods like DUO, RSA

TOTP generally available

  • Microsoft authenticator
  • Google Authenticator

Country or industry-specific

Combine above to make multifactor authentication MFA

ARRIVING SOON

BEST PRACTICES FOR PASSWORD RESET SELF-SERVICE PROJECTS

  • 1 The business case: Self-Service of passwords
  • 2 Processes and implementation
  • 3 Project management

Want more information about FastPass products, pricing or anything else?

We are here to help you!

Active Directory Self service portal

6 pillars for password self service configurability:

Windows infrastructure

  • Active Directory
  • Multi-AD
  • Multi-forest AD
  • Azure AD
  • Hybrid Azure AD

The infrastructure 

  • Architecture for hardening
  • Architecture for high availability
  • Architecture for high performance

Different processes and workflows for users 

  • Communication to users are different across countries 
  • Communication is different across internal functions 
  • Different processes for internal and external users 
  • Different authentications for different user groups 

Languages must reflect the users’ language

  • not everybody understands English 
  • FastPass has close to 40 languages 

Self service even for other types of passwords like SAP, IBM, Oracle and many other

Easy and efficient administration and configuration from a central administrator portal 

FastPass Enterprise for Windows Self Service Password Reset offers all of the above for as well the customer who needs an on-premise solution and for customers wanting to go Cloud! The solution is even available for managed service providers as a multi-tenant solution for customers!

The FastPass best practice guide is a clear guide on how to implement FastPass and reach +90% adoption and success rate. 

This is however not enough to guarantee success. All installations are unique and the password self service solution must adapt to the real requirements for user convenience and company IT-security requirements.

A reasonable term for this is CONFIGURABILITY! 

Configurability considerations for active directory password reset tool software. Below is just a short overview of some of the decisions to be considered.

Guide to self service of passwords project success

Want more information about FastPass products, pricing or anything else?

We are here to help you!

The nature of passwords is to make IT-systems SECURE!

The security of a software application does not only depend on the software; but also on the complete security of the IT-infrastructure. When it comes to IT-infrastructure FastPassCorp cannot dictate to customers how to configure. We will however promise that we in documentation and consulting recommendations will inform how you can configure your IT-system to protect your FastPass data and processes in your infrastructure.

Protecting the integrity of data

  • Using SSL to connect to AD makes the communication secure. Requires Security Certificate where encryption is RSA with key 2048 or 4096 bits.
  • Internal system encryption is based on AES256 which is the strongest with .net
  • Sensitive data are stored in the database using encryption is based on AES256 which is the strongest with .net.
  • User data can be hashed in addition to encryption to completely protect user data.
  • All sensitive data such as the users’ answers and questions are all AES 256 Bit encrypted.
  • The FastPass TrackEngine makes sure no one can intercept and repost data.
  • Internal communication from Front-end to Back-end to Gateway is only possible using trusted SSL certificates and only from selected IP addresses
  • Password can be stored encrypted (AES 256Bit Encrypted) in the FastPass Database. This enables a set of features to tighten security regarding password history. For example the minimum number of differences to any previously used password.

Protecting the Windows PC Client

Windows Client has three security levels to prevent any intruders:

    • URL restrictions. The client will only communicate with the FastPass server
    • Keyboard restrictions
    • Process restrictions (Level 1 imposed by Windows, Level 2 imposed by the Windows Client C and .Net level code)

Preventing access to user’s FastPass account

  • Notification to the user of authentication attempts using Question/Answers
  • A user cannot answer the same challenge question twice or have the same answers
  • FastPass always checks if a user is still enabled and active in AD before the user can use FastPass (FastPass does not enable users)
  • After 3 failed attempts users are locked in FastPass (not in AD), Service Desk assistance is needed to unlock the account again.
  • CAPTCHA protection against robotic attempts is included.

The Best Practices for security and protection of FastPass access will include the following actions:

  • The fundamental component is the installation of FastPass WEB-services in DMZ.
  • Hardening of the DMZ-server according to the FastPass Hardening documentation
  • Demand 2-factor authentication for users coming from WAN
  • User notification of password reset
  • Notify users via SMS and e-mail that their FastPass account has been used – eg. when authentication fails.
  • Use only SSL/TLS versions that are PCI-Compliant

For extra secure environments, the following aspects can be evaluated

  • Only allow access to through the Windows Client on remote PCs (Blocks the browser interface)
  • Demand remote devices to present a trusted device/user certificate
  • Allow Enrollment only from the LAN
  • Limit the IP address scope allowed on the WAN-side

Best Active Directory self-service password reset

Have you ever thought about AD self-service password reset tool?

In today’s environment, users expect fast self-service for any issues they might have with IT. As the most frequent issue is active directory password reset calls, then IT self service must include an Active Directory password self-service functionality. This will resolve users’ issues faster than calling a service desk. It can even turn critically if the problem appears outside the working hours of the service desk.

FastPass Self Service Password Reset Active Directory portal lets you start for an advanced and automatic platform for Windows Active Directory passwords. You can later add functionality as your requirements increase. You might also consider FastPass Cloud.

FastPass basic functions are based on a self-service WEB-portal where users are able to unlock their Active Directory account or reset their forgotten active directory password. Different ways of authentication are available: challenge questions, SMS-Pin codes, Google and Microsoft authenticators or other. Even 2-factor authentication can be dynamic! Access to the portal is from any device with a standard browser – smartphones included. Users get assistance to make the new password according to password policy. The user can select the end-user language from more than 40 different languages. For more details on functionality see FastPass password Manager facts.

Optional Microsoft AD self service password reset facilities

Many organizations can improve the self service Active Directory password reset business case and user satisfaction by adding more advanced functionality to FastPass.

  • With FastPass PC-client users get access to the portal from a locked Domain PC with a credential provider. This is the most usual situation for end-users experiencing problems with passwords. No need to go to another device to access the WEB-portal!
  • Enrollment is key to user adoption rates. With FastPass PC-client users are forced to enroll!
  • Non-domain users can be invited to enroll by FastPass automatic e-mail enrollment service.
  • HelpDesk client is available for the service desk support for those users who call for support anyway. It speeds up the service and increases security.
  • For users with corporate PC’s who access the system from the external network (from home or travel), the Remote PC-client enables FastPass to reset the PC-cache password. This can’t be done by the service desk with traditional tools and is an extraordinary value.
  • Organizations with multiple Active Directories can handle this complexity in the extended version

Market offerings

Self service password reset portals are available from many vendors. Traditionally the solutions were part of IDM Identity manager solutions like Microsoft Forefront Identity and Manageengine with adselfservice plus. We also see dedicated solutions from open source vendors which never really seems to hit. Many ITSM products offer limited self service functionality now.

Microsoft Azure and Office 365 can now have an Azure SSPR functionality.

If you need assistance in an assessment between different offerings we have experience and knowledge for you to help you make an expert evaluation. Please contact us.

How does a Self-service password reset solution SSPR work?

When users want to login to Windows from the PC, they might find it impossible. They might just need to unlock or perhaps they need to reset the password.  

The immediate problem is: “How to do self-service of passwords when your PC is locked because you don’t have a password?” a Catch-22 problem. 

The solution is an icon on the PC helping the user to see that he can serve himself by clicking the password reset icon. This PC client (credential provider / GINA) can then do limited functionality on a locked PC. This will help the user access the self-service password reset functions! 

The user will then be asked to do a personal authentication based on secrets shared between the SSPR (self-service password reset) solution and the user.  Depending on the user’s profile and the situation it can be single-factor authentication or multi-factor authentication. 

When the authentication is accepted the user must make his new password. For user convenience, the password policy must be visible to help the user make a compliant password. As the user compiles the different policy elements can turn green to show the user that the password is OK. 

The user can then return to his PC and use the new password. In this process, no other persons have been involved, so trust is maintained in the individual user. 

It cannot be a password recovery or a password writeback – this is not technically possible. The user will always have to make a new password. 

FastPass is of course also available from external PC’s via WEB-access and for smartphones and tablets. 

Microsoft password reset

Microsoft password reset (in other words, when user forgot windows passwords) is traditionally done by the service desk using their privileged passwords for active directory.

Better productivity and service is achieved with AD password reset tool. Customers with FastPass are successful with password self service because of the following qualities in the service:

  1. Users need to enroll to be able to authenticate in FastPass when the windows password is forgotten or locked! It can be done with forced enrolment or with the FastPass automatic e-mail enrolment service.
  2. Access is needed from all type of devices from internal and external networks. The devices can be corporate PCs, smartphones, tablets, and general browser access
  3. Authentication must be both easy and secure at the same time. You can configure if you want single or multi-factor authentication MFU. FastPass supports:
    1. Standard question and answers
    2. Users’ own questions and answers
    3. SMS to users’ mobile phone number
    4. Microsoft Authenticator and Google Authenticator
    5. Smart cards
    6. Other options
  4. Assistance from the service desk if the user is unable to do self service

FastPass supports Active Directory and Azure Active Directory users.

FastPass password synchronization is based on an AD interceptor catching all changes to passwords in AD. This creates a transaction to FastPass password synchronization module. FastPass then has a user-map where the user’s user-ids are linked together for the synchronization transaction. FastPass password synchronization reacts very fast, so in general users’ passwords are changed in the target systems even before the user logs in to the alternate systems.

Read more about FastPass Solutions

FastPass covers the important password manager processes for self service of passwords with a compliant and secure process for the facilitated password reset process in the service desk. The results are high productivity and ease-of-use for all types of corporations.

FastPass covers all types of passwords (Windows / SAP/ Oracle / IBM i, etc.). FastPass supports Active Directory and Azure Active Directory users.

FastPass for SAP

SAP password reset tool for Self Service or Synchronize:

  • Easy to use self-service portal for all instances
  • Supports all SAP variations, and an unlimited number of SAP instances
  • Functionality as FastPass Enterprise
  • Synchronize AD passwords to SAP passwords

FastPass for Oracle

Oracle reset password portal and synch for end-users:

  • Easy to use self-service portal for all systems
  • Supports all Oracle variations, and an unlimited number of Oracle systems
  • Functionality as FastPass Enterprise
  • Synchronize AD passwords to SAP passwords

FastPass for IBM

Password synchronization or password reset for IBM i series, IBM Z and RACF:

  • Easy to use self-service portal for all systems
  • Supports all Oracle variations, and an unlimited number of Oracle systems
  • Functionality as FastPass Enterprise
  • Synchronize AD passwords to SAP passwords

Want more information about FastPass products, pricing or anything else?

We are here to help you!

Subscribe to

our newsletter

Scroll to Top