Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Advanced Login Self Service Password Request Administrator Guide

1 Overview 2 Configuring and Using the Password/PIN Reset Function 3 Forcing the Use of Tokens or Biometrics with the Temporary Password Access Function 4. Authorizing the Q&A-based Authentication Replacing the Private Key and Certificate of the Reset Password Server

The Reset Password, or SSPR, server runs as an Apache 2 Web server with mod_ssl installed. Upon installation, a temporary set of certificates are generated to enable a secure user authentication. It is recommended that you replace these temporary certificates with certificates generated using your own PKI.
For more information about Apache2 SSL configuration, refer to:
The public key certificate must contain the DNS host name of the Reset Password server:
In the CN part of the subject of the certificate.
And/or in a Nestcape SSL server name extension.
And/or as a DNS name in a subjectAltName extension
To avoid users getting a warning message, the public key certificate must be signed by a company Certificate Authority with its certificate already deployed on the users' workstations.
Set the private key in the %ProgramFiles%\Quest\WebSrv\Apache2\conf\server.key file.
Set the public key certificate in the %ProgramFiles%\Quest\WebSrv\Apache2\conf\server.crt file.
Make sure the path to the above files are properly set in the %ProgramFiles%\Quest\WebSrv\Apache2\conf\ssl.conf file as follows:
SSLCertificateKeyFile option must contain the full path name of the private key file.
SSLCertificateFile option must contain the full path name of the public key certificate file. Enabling the "Unlocking of a User Primary Account" Feature

The unlocking of a user primary account is one of the features provided with the Self-Service Password Reset capability. It is only available through the Self Service Admin web portal. It is intended for users who have locked their primary accounts by typing a wrong password several times in a row.
The Write authorization on the lockoutTime property, only on the User objects.
The technical accounts are created upon Quest ESSO installation. For more information, see Quest ESSO Installation Guide.
The following procedure must be performed only if Quest ESSO is used with Active Directory, ADAM or AD LDS directories.
If you are using another supported LDAP directory, the feature is automatically enabled upon Quest ESSO installation. Refer to Self Service Admin Portal User Guide to test it.
From the Active Directory domain controller, launch Active Directory Users and Computers.
The Delegation of Control Wizard starts.
Select the group containing the technical accounts of the Quest ESSO controllers (Active Directory only), or each technical account individually if necessary.
Read the instructions of the wizard to delegate to the selected technical account(s) the following common task: Reset user passwords and force password change at next logon.
Repeat Step 3 to start again the Delegation of Control wizard.
On the Tasks to Delegate page, select Create a custom task to delegate and click Next.
On the Active Directory Object Type page, click Only the following objects in the folder and select User objects. Click Next.
On the Permissions page, select Property-specific and select Write lockoutTime. Click Next then Finish.
The AdminSDHolder container is protected and may be hidden. To display it, in the View menu of the Active Directory Users and Computer snap-in, click View Advanced Features.
Any modification of the AdminSDHolder container takes about one hour to be effective.

2.2 Administering the Self Service Password Request Feature

The Self Service Password Request tab of a user allows you to display and manage the "password reset" and "PIN reset" feature information for a user. You can perform the following operations:
In the tree structure of the Directory panel, select the wanted user.
In the Connection tab, click Self Service Password Request.
The Self Service Password Request tab appears.
To reset to 0 the password attempts for the user, click the Reset button (works only in connected mode).
To generate a challenge, click the Generate Unblocking Code button.
The Unlock code window appears.
Follow the instructions displayed on screen and in User challenge, type the challenge the user gave you (see 2.3.2 Resetting Your Password Upon Session Opening or 2.3.3 Resetting Your PIN).
If a temporary password access (TPA) has been given to the user, the Temporary password access duration field displays the number of days left during which the user will be able to use a password to connect (for more information, see 3.2, "Setting the Duration of a Temporary Password Access"). 
Click the Generate button.

2.3 Using Self Service Password Request (User's Tasks)

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating