When a computer is not connected to the domain (remote with no VPN), how does the Secure Password Extension (SPE) connect to the Self-Service site?
The SPE obtains the URL for the Self-Service site from the Service Connection Point (SCP) that is published in Active Directory. The URL published in Service Connection Point is the same as what is configured on the Password Manager Admin site under General Settings | Service Instances. If a remote user who is not connected to the domain tries to use the Forgot My Password link from the logon screen, the SPE will not be able query the SCP for the URL.
Note: A Self-Service site needs to exist with an externally accessible URL (accessible outside of the internal network).
For remote users who are not or will not be connected to the domain, the URL will need to provided to the SPE either through the use of the prm_gina.adm(x) Administrative Template in a GPO or by modifying the registry on the client computer.
To force the SPE to use a specific URL by using the Administrative template:
To manually configure the URL on each client computer for 5.6.x and 5.7.0:
To manually configure the URL on each client computer for 5.7.1:
Note: For clients to be able to access the Self-Service site from the logon screen when they are connected to the network and have had the URL provided to the SPE via the Administrative Template or manual registry editing, the URL for the external and internal site will need to match.