-
Title
How does Secure Password Extension work when a computer is not connected to the domain? -
Description
When a computer is not connected to the domain (remote with no VPN), how does the Secure Password Extension (SPE) connect to the Self-Service site?
-
Resolution
The SPE functions as follows in attempting to connect to the Self Service site:
1. Local Registry
2. Service Connection Point published in Active Directory
The URL published in the Service Connection Point is configured on the Password Manager Admin site (PMAdmin) under General Settings | Realm Instances. If a remote user who is not connected to the domain attempts to use the Forgot My Password link from the logon screen, the SPE will not be able query the Service Connection Point for the URL.
Note: A Self-Service site needs to exist with an externally accessible URL (accessible outside of the internal network).
For remote users who are not, or will not be connected to the domain, the URL will need to provided to the SPE either through the use of a Group Policy (using the Administrative Template included with Password Manager installation media), or by modifying the registry on the client computer.
To force the SPE to use a specific URL by using the Administrative template, refer to the Password Manager Administration Guide:
https://support.oneidentity.com/technical-documents/password-manager/5.11/administration-guide/70#TOPIC-1898765To manually configure the URL on each client computer:
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies
- If the keys One Identity\Password Manager don't exist, create them (Create new key One Identity and then new key Password Manager below One Identity)
- Within One Identity\Password Manager, create a new REG_DWORD (32) entry
- Name it ForceRegistryURL with a value of 1
- Create a new String Value (REG_SZ) called SelfServiceURL
- Enter the URL for the external Self-Service site, such as http://SelfServiceSite.com
Note: For clients to be able to access the Self-Service site from the logon screen when they are connected to the network and have had the URL provided to the SPE via the Administrative Template or manual registry editing, the URL for the external and internal site will need to match.