mypassword administrator's guide enterprise

8/17/2019 MyPassword Administrator's Guide Enterprise

1/64

N a m e s c a p e | m y P a s s w o r d

A d m i n i s t r a t o r ’ s G u i d e 3 | P a g e

Administrator’s Guide


2/64


3/64



Table of Contents

Overview ...................................................................................................................................................... 7

Prerequisites................................................................................................................................................................................7

myPassword Features ........................................................................................................................... 8

LanguageSupport...................................................................................................................................................................8

rDirectoryIntegration..............................................................................................................................................................8

PasswordPolicyGuardianIntegration..........................................................................................................................8

AccessMethods........................................................................................................................................................................9

SecurityFeatures...................................................................................................................................................................10

CrossBrowserSupport......................................................................................................................................................12

ThemableUserInterface...................................................................................................................................................12

Configuring myPassword ................................................................................................................... 13

LogontorDirectory..............................................................................................................................................................13

TheNamescapeDesigner...............................................................................................................................................14

myPasswordAdministration............................................................................................................................................15

Reports........................................................................................................................................................................................29

Accessing myPassword ...................................................................................................................... 37

AccessMethods.....................................................................................................................................................................37

EntryPages...............................................................................................................................................................................40

AccessModesandArguments......................................................................................................................................41

Using myPassword................................................................................................................................ 43

MainPage.................................................................................................................................................................................43

Captcha......................................................................................................................................................................................44

ResetmyPassword..............................................................................................................................................................45

UnlockmyAccount..............................................................................................................................................................50

ChangemyPassword.........................................................................................................................................................51

EditmyProfile..........................................................................................................................................................................52


4/64


6 | P a g e A d m i n i s t r a t o r ’ s G u i d e

Enforcing Enrollment ............................................................................................................................ 53OnrDirectoryaccess...........................................................................................................................................................53

OnLogonwithProfileValidator.exe..............................................................................................................................53

Appendix A: Customizing myPassword ........................................................................................ 55

ClientCustomization............................................................................................................................................................55

AddingamyPasswordlinktotheOutlookWebAccessLogonPage.......................................................57

RedirectingtheIWAfailedlogonpagetothemyPasswordsite..................................................................62

HowtochangethelanguageinmyPassword......................................................................................................64


5/64


6/64


8 | P a g e A d m i n i s t r a t o r ’ s G u i d e

myPassword Features

Language SupportmyPasswordshipswithEnglish,German,SpanishandFrenchlanguagesupport.Todisplay

myPasswordinoneoftheselanguages,simplychangeyourbrowsersettingstodisplaythe

desiredlanguage.Ifyourequirealanguagethatisnotincluded,pleaseseeHowtoChange

theLanguageinmyPasswordinAppendixA–CustomizingmyPassword.

rDirectory IntegrationAlthoughmyPasswordmaybelicensedandusedwithoutrDirectory,thenaturalsynergyof

thesetwoproductsformsanevenmorepowerfulpasswordmanagementsolution.Combining

rDirectorywithmyPasswordprovidesthefollowingadditionalbenefits:

Help Desk Password Management Solution

WithrDirectoryintegration,yougetacompleteHelpDeskpasswordmanagementsolution

thatallowsyourhelpdeskstafftoquicklylocateauserprofileandsecurelyverifytheuser’s

identitybeforeresettingtheirpasswordorunlockingtheiraccount.Auditlogsandemail

noticesrecordwhoresetwhichaccountandwhen,andsincedelegationisdonethrough

rDirectory,theHelpDeskstaffdoesnotrequireadministratorpermissions.Inaddition,

featuressuchasgroupmanagementcanalsobeeasilydelegatedtotheHelpDesk.

Flexible Delegation of Password Management

TheflexibleRoleBasedAccessControl(RBAC)modelofrDirectoryprovidesmanymore

delegationoptionsthanjustallowingmembersofahelpdeskgrouptomanageeveryone’s

passwords.Forexample,youcanalsograntaccesstomanagepasswordsandaccounts

basedonrelationships,suchasauser’smanager.

Enforced Profile Data Integrity Check

WhencoupledonlywithmyPassword,theProfileValidatortoolcanbeconfiguredtorequire

userstofillintheirQuestionandAnswerPasswordResetProfileuponlogon.However,

whenmyPasswordiscombinedwithrDirectory,theProfileValidatortoolcanalsorequire

userstofillinorcorrectvirtuallyanyotherattributeintheirprofiles.

Password Policy Guardian IntegrationWhenPasswordPolicyGuardianisinstalledalongsidemyPassword,userswillreceivean

immediate,detailedexplanationwhyapassworddoesnotmeettheapplicablecomplexity

policiesintheeventapasswordchangeorresetfails.


7/64



Access MethodsmyPasswordsupportsmultipleaccessmethodsforuserswhoneedtoresetorchangetheir

password.

Windows Logon Form - GINA-Enabled or GINA-Free

UserscanaccessmyPassworddirectlyfromtheirWindowsLogonForm,usingeithertheGINA-

EnabledorGINA-Freeaccessmethods.ThemyPasswordGINA.dllwillmodifytheuser’s

WindowsLogonForm,providingtheuserwithaconvenient,directlinktomyPassword,without

theneedtologontoWindows.However,sinceusingGINAextensionscanbeproblematicin

someenvironments,myPasswordalsoincludesaGINA-FreemethodtoaccessmyPassword

directlyfromtheWindowsLogonFormusingaRestrictedAccessAccount.

TheRestrictedAccessAccountmethodisabestpracticerecommendedbyMicrosoft,andhas

significantadvantagesoverthetraditionalGINA.dllmethod.WithaRestrictedAccessAccount,

userscanlogonusingthesealternatecredentials,yetbesecurelylimitedtoonlythe

myPasswordsite.Thekeyadvantagesofthismethodarecentralizedmanagement,simplified

accessforroamingandmobileusers,andbecauseareplacementGINA.dllisnolonger

required,thepossibilityofaconflictwithotherauthorizationextensions,suchasbiometricsor

networkdrivers,iseliminated.

AWindowsLogonPromptutilityisprovidedwhenusingtheGINA-freeaccessmethod,

allowingyoutoaddacustommessagetotheuser’sWindowsLogonForm,instructingthemto

logonastheRestrictedAccessAccountwhentheyneedtoresettheirpassword.

Outlook Web Access Logon Form

AlinktomyPasswordcanbeaddeddirectlytotheOutlookWebAccessLogonformusingthe

ReturnURLAccessMode.Thisaccessmethodprovidesremoteuserswiththesameaccessto

myPasswordasuserswhologonusingtheWindowsLogonForm.Remoteuserscanedittheir

PasswordResetProfile,unlocktheiraccountandchangeorresettheirpassword.

Portal or Web Pages

SincemyPasswordiswebbased,it’seasytointegrateintoanexistingportalorcorporateweb

site.UsingtheReturnURLAccessMode,myPasswordcanbeconfiguredtoreturnuserstothe

originatingpageuponcompletionofapasswordmodificationorinactivitytimeout.

Mobile Access

myPasswordalsoincludesfullsupportforpasswordmanagementusingsmartphonesor

tablets.WhentheURLisaccessedbyaphoneortabletbrowser,myPasswordwill

automaticallydetectamobiledeviceanddisplaythecustomizablewebapp,ratherthanthe

standarddesktopsite,withoutfurtherconfiguration.


8/64


1 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e

Direct Access Methods

Allofthestandarddirectaccessmethods,suchaskioskorworkstation,arealsoavailable.The

securityfeaturesofmyPasswordalsoallowyoutoconfidentlymakemyPasswordavailable

publiclyontheinternet.

Web Front End

ThemyPasswordWebFrontEnd(WFE)isasimplewebclientdesignedtoresideonanIIS

serverlocatedinyourDMZ.CoupledtoanappropriatelyconfiguredmyPasswordProxyServer

locatedonyourinternalnetwork,theWFEallowsuserstochangeorresettheirpasswords

fromtheinternet,withoutfearofexternallyexposingyourActiveDirectory.

Security FeaturesWhileaself-servicepasswordresetproductlikemyPasswordcansavecountlesshoursoftime

forendusersandhelpdeskstaff,itcanalsobeatargetforintrudersseekingtotake

unauthorizedcontrolofsomeone’saccount.Forthisreason,myPasswordisdesignedwith

securityinmindandincludesthefollowingsecurityfeatures:

Force Two Factor Authentication with External Email Address

Inadditiontoprofilevalidation,myPasswordcanforcetheuseofexternalemailverification

beforeauserisallowedtounlocktheiraccountorresettheirpassword.

Toforcethisformofauthentication,threeconditionsmustbemetinthemyPassword

configuration:

1.

EmailVerification isenabled.

2.

DenyForUserswithNoProfile isenabled.

3. IfProfileExists,RequireAnswers isselected.

Ifthesethreeconditionsaremet,auserattemptingtounlocktheiraccountorresettheir

passwordmustfirstanswertheirprofilevalidationquestions.

Oncethequestionshavebeenansweredcorrectly,anemailwillbegeneratedandsenttoan

externalemailaddressdefinedontheiruseraccount.Theusermustclickthelinkintheemail,

andonlythenwilltheybeallowedtoperformtheUnlockorResetaction.

Intrusion DetectionmyPasswordincorporatesseveralmeansofdeterring,detecting,andblockingaccessto

intruderswhomayattempttousemyPasswordtogainillicitaccesstoanaccount.Ifexcessive

failuresaredetectedwhenansweringquestionsorauthenticatinganaccount(usedinProfile

Edit,PasswordChange,orVouching),accesstomyPasswordcanberestrictedbyblockingthe

intruder'sIPaddress,blockingthecompromisedaccount,and/orsendingemailalertsto

immediatelynotifysecuritypersonnelofapotentialattack.


9/64



Question Presentation

Questionsarepresentedsequentiallyforadditionalsecurity.Inotherproducts,allquestions

arepresentedonasinglepage,givinganintrudertheopportunitytoimmediatelyknowthe

informationneededtosuccessfullymodifyapassword.Bypresentingonlyasinglequestionat

atime,sociallyengineeringanswersbecomesmuchmoredifficultandtimeconsuming.

Inactivity Timer

AninactivitytimerprovidesadditionalsecuritytomyPasswordbyautomaticallyloggingthe

currentuseroutofmyPasswordandreturningthemtothemainmenuifakeystrokeormouse

movementisnotdetectedforapredefinedperiodoftime.Inkioskmode,theinactivitytimer

guaranteesmyPasswordisreturnedtothemainmenuwhenleftunattended.IfmyPasswordis

usingtheGINA-freeaccessmethodwithaRestrictedAccessAccount,theinactivitytimerwill

logoffoftheRestrictedAccessAccountandreturntothenormalwindowslogonwhenthe

timerexpires.

Audit Logging / Email Notification

myPasswordrecordsthe‘who,what,when,andwhere’ofallmyPasswordrelatedactivityand

canbeconfiguredtostorethisvaluabledatainboththeservereventlogsandthemyPassword

reportingdatabase.

myPasswordcanalsobeconfiguredtosendemailnotificationstothemodifiedaccount,their

manager,oranadministratorforadditionalsecurity.Aspecialemailnotificationisgenerated

whenapotentialintrusionisdetectedandcanbesenttoanadministratororsecurity

personnel.

Password Reset Profile Rules

WithmyPassword,youcancreaterulesetstoapplyuniquePasswordProfilePoliciesto

determinethequestionsandrequirementsforcreatingaPasswordResetProfile.Thisallowsa

morestringentPasswordResetProfilerequirementforsensitiveaccounts,whileallowing

simplerPasswordResetProfilesforthosewithlowersecurityrequirements.

Password Generator

AnoptionalPasswordGeneratorcanbeusedtoautomaticallycreatenewpasswords.By

default,thepasswordgenerationfeatureusesacustomizabledictionaryofcase-sensitive

wordsthatareappendedwithnumbers(andadditionalwordsandnumbersasnecessary)

untiltheminimumpasswordlengthisobtained.Inaddition,myPasswordcangeneratea

seriesofrandomcharactersforuseasatemporarypassword.

WhenusedwiththeForce Password Change on next Logonsettingenabled,thegenerated

passwordbecomesaone-time-usepasswordthatcanbeascomplexasrequired.

WhenintegratedwithNamescape’sPasswordPolicyGuardian,thepasswordgeneratorwill

automaticallycreateapasswordthatiscompliantwithanyapplicablepasswordpolicies.


10/64



Voucher Rules

VouchingisanoptionalfeaturethatallowssomeonewhohasnotcompletedtheirPassword

ResetProfile,orhasforgottentheiranswers,togetanotherauthorizedusertovouchforthem,

allowingtheirpasswordtobereset.WithmyPassword,youcansetupruleswheredifferentusersmaybealloweddifferentvouchers,andreceivedifferentmessagestoindicatewhocan

vouchforthem.Sincevouchingrulesleveragecustomizablerelationshipbasedroles,a

vouchermayalsobebasedonrelationshipsdefinedinthedirectory,suchasManagerorany

othercustomrelationship.

Cross Browser SupportmyPasswordsupportsthefollowingbrowserstoresetorchangepasswords,createPassword

ResetProfiles,orunlockaccounts:

• MicrosoftInternetExplorer7.0orlater

•

Safari5.0.3orlater

• MozillaFirefox3.6.3orlater

• Chrome8.0orlater

• Opera10.62orlater

ToconfiguremyPassword,theNamescapeDesignersupportsMicrosoftInternetExplorer7.0or

later.

Themable User InterfacemyPasswordincludesanumberofpreinstalledthemesthatallowanadministratortochange

theelementcolorsintheclientwithafewclicks.Inaddition,myPasswordalsosupports

customlogos,textandlanguages.


11/64



Configuring myPassword

TheconfigurationandadministrationofmyPasswordisaccomplishedusingtheNamescapeDesigner,includedwiththerDirectoryandmyPasswordinstallation.ToconfiguremyPassword,log

ontotherDirectorywebsitewithanaccountthathasbeengrantedtheNamescapeDesignerrole.

Log on to rDirectory

IfForms AuthenticationisconfiguredfortherDirectorywebsiteusingtheSiteManager,youwillseetheabovelogonscreenwhenthesiteisaccessed.IfWindows Authenticationis

configuredfortherDirectorywebsite,youwillnotseethelogonscreenandwillbe

automaticallyauthenticated.

Ineithercase,youarerequiredtologonwithanaccountthathasbeengrantedtheDesigner

roleinthesitemanager.

NOTE: IfrDirectoryisnotlicensed,youwillbeimmediatelyredirectedtotheNamescapeDesigner

afterauthenticationandpresentedwithapartialDesignerviewcontainingonlythetree

nodesappropriateformyPassword.


12/64



The Namescape DesignerThetypeofappliedlicensedetermineswhatisdisplayedwhenyouaccessrDirectory.If

rDirectoryislicensed,andyouareauthorizedtoaccesstheNamescapeDesigner,youwillsee

therDirectorywebsitewithatoolbarcontaininganOpen Designerbuttonintheupperright:

ClicktheOpen DesignerbuttontoaccesstheNamescapeDesigner.


13/64



IfyouhavequestionsordifficultyusingfeaturesintheNamescapeDesigner,selectDesigner

HelpontheDesignerHomePagetoaccessthecontextsensitivehelp.

myPassword Administration

IntheNamescapeDesignertreemenu,expandtheSettings nodeandselectmyPassword.

Youwillbepresentedwithasummarizedsettingsviewforthecurrentinstallationof

myPassword.

myPasswordsettingsmaybeconfiguredbyselectingoneofthefollowingsubordinatenodes:

General

Inthetreenavigationmenu,clickGeneraltochangetheproxysettings,limitaccessto

myPasswordwithroles,andtoenablethepasswordstrengthmeter.


14/64



Site

Proxy Account

AProxyAccountisrequiredforallPasswordResetandProfileEditoperationsandisconfigured

usingtheSiteManager.

Theaccountspecifiedmusthavepermissionstoresetpasswordsforalluserswhomaybe

usingthePasswordResetfeature.IfProfileEditingisenabled,thisaccountmustalsohave

permissionstoeditthePasswordResetProfileAttributeforalluserswhomaybeusingthe

ProfileEditingfeature.

Limit Access to myPassword with Roles

IfLimitAccesstomyPasswordwithRoles ischecked,andtherolesareset,onlyuserswho

satisfytherolesspecifiedwillbeallowedtousefeaturesonthemyPasswordsite.

Enable Password Strength Meter

IfEnablePasswordStrengthMeter ischecked,therelativestrengthofthepasswordwill

dynamicallyupdateinthestrengthmeterascharactersareentered.Thestrengthofa

passwordisbasedonMicrosoft'spasswordcomplexityrequirement.

Enable Inactivity Timeout

Ifchecked,thissettingallowsyoutospecifythetime(inseconds)beforemyPasswordwilltime

outduetouserinactivity.Upontimeout,theuserwillbereturnedtothemainmenu.


15/64



Appearance

Theme

myPasswordincludesasetofcolorthemesthatcanbeusedtoaltertheappearanceofthe

myPasswordclient.Changingathemedoesnotaffectcustomizedgraphics,textorstyles.If

youdesireacolorthemenotincludedwiththeproduct,pleasecontactNamescapesupportfor

assistance.

Use Classic Dialogue Style

Whenenabled,alldialogueboxeswillbedisplayedwiththestyleofpreviousversionsof

myPassword.Thisincludesthinnerbordersandnon-roundedboxes.

FeaturesTheFeaturesnodeallowsyoutocontrolthefeaturesettingsforthemainmyPasswordpage.

Reset Password

Password Generation

ThePasswordGeneration settingdeterminesifautomaticpasswordgenerationisallowed,

required(Always)ornotavailable(Never)forPasswordResetoperations.Formoreinformation

seePasswordGenerator .


16/64



Use password dictionary for password generation

Ifchecked,thissettingwillgeneratepasswordsbasedonthewords,numbersorcharacters

specifiedinthepassworddictionary.

Force Password Change on Next Logon

Ifchecked,thissettingrequirestheuserswhohaveresettheirpasswordtochangetheir

passworduponnextlogon.

NOTE: Ifpasswordhistoryisenforced,thisfeatureisrecommended.Thepasswordreset

functionofActiveDirectorydoesnotenforcepasswordhistory,socleverusers

couldpotentiallyusemyPasswordtore-useoldpasswordsifthisfeatureisnot

enabled.ActiveDirectoryonlyenforcespasswordhistoryonthepasswordchange

function,sowhentheyareforcedtochangetheirpasswordonnextlogon,their

historywillre-enforce.

Enforce Password History on Reset

Ifchecked,thissettingenforcespasswordhistoryonaresetandpreventstheuserfrom

changingtheirpasswordbacktoapreviouslyusedpassword.Werecommendmodifyingyour

DomainSecurityPolicytoincreasethenumberofpasswordsremembered(atleast2xdefault

value)andsettheminimumagetooneday.

NOTE: IfyousettheminimumpasswordageinyourDomainPasswordPolicy,andauser

forgetstheirpasswordwithintheminimumage,theywillnotbeabletouse

myPasswordtoresettheirpassword.


17/64



Unlock Account

Enable Account Unlock

IftheEnableAccountUnlock settingischecked,theUnlockmyAccountfeaturewillbe

availableonthemainmyPasswordpage.

Account Unlock Roles

IfanyAccountUnlockRoles areset,onlyuserswhosatisfytheseroleswillbeallowedtouse

thisfeature.


18/64



Change Password

Enable Password Change

Ifchecked,thissettingenablesthePasswordChangefeatureforalluserswhosatisfyanyroles

setunderPasswordChangeRoles .IfPasswordChangeRoles arenotset,allusersmayuse

thePasswordChangefunction.

Password Change RolesThePasswordChangeRoles settingindicatesifanyrolesaresetforthePasswordChange

feature.Ifrolesarenotset,allusersmayusethePasswordChangefeaturewhenitisenabled.

Password Generation

ThePasswordGeneration settingdeterminesifPasswordGenerationisallowed,required

(Always)ornotavailable(Never)forPasswordChangeoperations.Formoreinformationsee

PasswordGenerator.

Use password dictionary for password generation

Ifchecked,thissettingwillgeneratepasswordsbasedonthewords,numbersorcharactersspecifiedinthepassworddictionary.


19/64



Profile Edit

Enable Password Profile Edit

Ifselected,andatleastoneProfilePolicyRule isset,userswillbeallowedtocreateandedita

PasswordProfilecontainingtheirquestionsandanswers.

Profile Policy Rules

TheProfilePolicyRules buttonindicatesifanyPasswordProfileRulesaresetandwhen

selected,launchesthePasswordProfileRulesEditor.IfEnablePasswordProfileEdit is

checked,atleastonePasswordProfileRulemustbeset.

Require New Profile if older than X months

EnablingthissettingwillcausemyPasswordtopromptusersforupdatedprofilequestions

everyXmonths.Bydefault,thissettingisdisabled.


20/64



Vouching

Enable Vouching for Users

Ifvouchingisenabled,andatleastoneVoucherRuleisset,userswillbeallowedtohave

someonetovouchforthem,ratherthanbeingrequiredtoanswerthequestionsintheir

PasswordResetProfile.Userswhohavetheoptionofsomeonevouchingforthemarelimited

withthefollowingsettings:

WithoutProfile

OnlyuserswhodonothaveaPasswordResetProfileareallowedtohavesomeone

vouchforthem.

WithProfile

OnlyuserswhohaveaPasswordResetProfileareallowedtohavesomeonevouch

forthem(I.e.incasetheycan'tremembertheiranswers).

Both

Allusers,regardlessofwhethertheyhaveaPasswordResetProfile,areallowedtohavesomeonevouchforthem.

Voucher Rules

TheVoucherRules buttonindicatesifanyVoucherRulesareset,andwhenselected,launches

theVoucherRulesEditor.Ifvouchingisenabled,atleastoneVoucherRulemustbeset.


21/64



Intrusion Detection

AccesstomyPasswordbyanIPaddressorcompromisedaccountcanbeblockedfor

excessivefailedanswersand/orexcessivefailedauthentications.myPasswordmayalsobe

configuredtorequireaCAPTCHAentrytopreventautomatedintrusionattempts.

Examplesofafailedauthenticationincludeabadlogonnameorpasswordforanylogon

screen,afailedpasswordchange,afailedpasswordresetprofileeditoraninvalidvoucher

logon.

BoththeFailed AuthenticationandtheFailed Answerstabscontainthefollowingsettings:

Block After X Authentication Failures within X Minutes

Ifenabled,theIPaddressorcompromisedaccountwillbeblockedifthespecifiednumberof

authenticationfailuresorfailedanswersoccurswithinthetimeframespecified.Thiseventcan

initiateanemailnotice,blockaccessfromtheIPaddressforaspecifiedtime,orblockaccess

tothecompromisedaccountforthespecifiedtime.

Block IP Address for X minutes

Ifenabled,theoriginatingIPaddressisblockedforthespecifiedtimeperiodifan

authenticationfailureorfailedansweroccurs.

Block Account for X minutes

Ifenabled,thecompromisedaccountisblockedfrombeingaccessedviamyPasswordforthe

specifiedtimeperiodifanauthenticationfailureorfailedansweroccurs.


22/64



Captcha

Captchamayberequiredinordertovalidateauserasaperson,andisdesignedtoprevent

automatedattacks.

Use Captcha before authentication

Ifenabled,auserwillbepresentedwithacaptchapagepriortobeingallowedtoentertheir

credentials.Anumberofoptionsareavailablewhenconfiguringthecaptchapage:

Usedictionarytogeneratecaptchas

Whenenabled,thecustomizablemyPasswordworddictionarywillbeusedto

generatecaptchas.Ifthissettingisnotenabled,anycaptchaspresentedwillbea

randomcombinationoflettersandnumbers.

BlockAfter

AnIPaddressmaybeblockedfromaccessingmyPasswordafterauserincorrectly

entersadefinednumberofcaptchaswithinagiventimeperiod.

BlockIPaddressforXminutesTheIPaddressofthepotentialintruderwillbeblockedforadefinedperiodoftime.


23/64



Email Support

Email SupportallowsyoutoconfigureemailmessagingformyPassword.

Email Notification

User

Ifchecked,anemailnoticeissenttotheemailaddressoftheuserforallpasswordresets,

passwordchangesandPasswordResetProfilemodificationsmadetotheiraccount.

Manager

Ifchecked,anemailnoticeissenttotheuser'smanagerforallpasswordresets,password

changesandPasswordResetProfilemodificationsmadeagainsttheuser'saccount,provided

theaccountbeingaccessedhasamanager,andthemanagerhasanemailaddress.

Normal Operations

Ifchecked,anemailnoticeissenttotheemailaddressspecifiedforallpasswordresets,

passwordchangesandPasswordResetProfilemodificationsmadeviamyPassword.

Vouching Operations

Ifchecked,anemailnoticeissenttotheemailaddressspecifiedwheneverthevouching

featureisusedtoauthorizeapasswordreset.

Intrusion Detection

Ifchecked,anemailnoticeissenttotheemailaddressspecifiedwheneveranintrusion

detectioneventoccurs.Anintrusiondetectioneventistriggeredbyafailedanswer,failed

authenticationorfailedcaptchaentries.


24/64



Email Verification

EmailVerification allowsmail-enableduserswithanexternalemailaddresstobesentatime

sensitiveemail.Theemailincludesalinkthat,whenclicked,returnstheusertothefinalpage

inthepasswordresetprocesswheretheycansettheirnewpassword.

This feature is intended for mail-enabled users with external email accounts only.This

featureshouldnotbeusedwithmailbox-enabledaccountswheretheuserisrequiredtologon

toActiveDirectoryinordertoaccesstheirmailbox.

NOTE: InExchangeterminology,amailbox-enableduserissomeonewhohasan

exchangemailbox.Whereasamail-enableduserorcontacthasanemailaddress

thatpointstoanexternalmailsystemordomain.Amail-enableduserorcontact

canshowupintheGlobalAddressList,andyoucansendemailtothemwhichwill

bedirectedtotheirexternalemailaddress.Whenyoumail-enableauserorcontact

usingtheExchangetools,orusingrDirectoryandtheProvisioningAgentfor

Exchange,theexternalemailaddressispopulatedinboththenormal‘mail’

attribute,aswellasthe‘ExternalTargetAddress’attribute.


25/64



Enable Email Verification for Users

Thissettingenablesemailverificationforthepasswordreset,passwordchangeandaccount

unlockoperation.

ForUserswithanExternalE-mailAddressIfselected,alluserswithavalueintheirtargetAddress attributeautomaticallyuse

EmailVerification.ThetargetAddress attributeisautomaticallyfilledinwhenyou

useExchangetools,orrDirectoryandtheProvisioningAgentforExchange,tomail-

enableanaccount.SeeExt_MailFieldModule underFieldModuleSettingsinthe

NamescapeDesignerHelpformoredetails.

ForUsersthatMatchRoles

Ifselected,onlyauserassignedoneoftheapprovedrolesmayuseEmail

Verification.

Deny for Users

Ifchecked,EmailVerificationisnotavailableforusersmatchingtheconditionspecified.IfWith

a Profileisselected,userswithaPasswordResetProfiledonothaveEmailVerification

available.IfWith no Profileisselected,userswithoutaPasswordResetProfiledonothave

EmailVerificationavailable.

If Profile Exists

IfauserhasacompletedPasswordProfile,thissettingdeterminesthefollowingbehaviors:

RequireAnswers

ThissettingrequiresuserswithaPasswordResetProfiletosuccessfullyanswer

theirchallenge/responsequestionsbeforetheyaresentanemaillink.Theyneedto

clickonthelinksenttothemtocompletetheoperation.

AlwaysSkip

Thissettingalwaysskipstheprocessofrequiringuserstoanswertheir

challenge/responsequestions,andsendsthemanemaillinktoverifytheiridentity.

AllowSkip

ThissettingallowsuserswithaPasswordResetProfiletheoptionofeither

answeringtheirchallenge/responsequestions,orusingtheemaillinkfeaturefor

identification.


26/64



Link Timeout

Thisvaluedetermineshowlongauserhastorespondtothelinksentinaverificationemail.If

auserclicksonthelinkafterthistimeperiodexpires,theywillreceiveamessagesayingthe

linkisnolongervalid.

NOTE: Forsecurityreasons,thelinksenttoausersimplycontainsaGUID.ThisGUIDis

usedtostoreandretrieveinformationabouteachspecificEmailVerificationsession

intheapplicationcache.Thisinformationisremovedfromthecacheafterthis

amountoftime.Shouldtheserverreboot,ortheapplicationpoolofthe

myPasswordwebsiteberecycled,theinformationislostforallpastemail

verificationlinkssent.


27/64



ReportsTheReportsnodeallowsyoutosearchforactivityinmyPasswordandrDirectory,viewactivity

summaries,andgenerateandexportactivityreportsinvariousformats.Toviewactivityspecificto

myPassword,clicktoexpandtheReportsnodeandselectmyPassword.YouwillbepresentedwiththemyPassword Activity Summary view.

Inthisview,youhavetheabilitytodisplayallactivityinmyPasswordforagiventimeperiod.To

changethetimeperioddisplayed,simplymovetheslidertotheleftorright.Thegraph,summary,

anddetailviewswillupdateautomatically.

Inadditiontothesummaryview,thereareanumberofincludedreportsthatcanbegeneratedby

myPassword,ensuringasimpleandeffectivewaytoauditpasswordeventsinyourenvironment.


28/64



Activity Search

The Activity SearchviewprovidesafilterabledisplaycontainingdetailedmyPasswordactivity

informationinyourenvironment.ItallowsyoutofilterdownthelistofactionsbyActionType,

AccountName,DN(DistinguishedName),IPaddress ,UserAgent,Interfacetype andStart\End

Date andgenerateareportbasedonthoseresultsthatcanbeexportedtovariousformats,

includingExcel,PDFandWord.

ThedatashowninthemyPasswordActivitySearchwindowcanbedisplayedhoweveryoudesire.

Columnsmaybemoved,sorted,addedandhiddentofityourneeds.

Optionsinclude:

Sort Ascending or Descending

Clickthecolumnheadertosortthelistofactivitybyascendingordescendingorderwithinthatcolumn.Clickonceforascendingorderandagainfordescendingorder,orselectSort

AscendingorSort Descendingfromthedropdownlistofoptions.

Drop Down List of Options

Clickthedownarrowthatdisplaysnexttoeachcolumnheaderwhenselectedtoseealistof

availableoptions,includingSortAscending,SortDescendingandColumns.


29/64



Columns

SelecttheColumnsoptionfromthedropdownlisttoshoworhidespecificcolumnsinthe

displaywindow.

PageUsethearrowkeysatthebottomofthescreentoadvancethereportresultsbypage.

Refresh

ClicktheRefreshiconateitherthetoporbottomofthescreentoupdatethefilteredresultsand

redisplaytheentirelistindescendingdateorder.

Report

SelectingtheReportbuttonwillgenerateanexportablereportbasedonyourfilteredactivity

searchresults.ThisreportcanthenbeexportedinExcel,PDForWordformats.

Filtering Results

EachcolumnintheActivitySearchrepresentsadifferentfilterusedtonarrowdowntheactivity

datasearchresults.

Action Type

Clickthedropdowntodisplayallactiontypesavailable.Placeacheckintheboxnexttothe

actionoractionsyouwishtoincludeinthefilteredresults.

Account NameThiscolumnallowsyoutofilteractivitydatabasedontheaccountthatperformedtheaction.

Toapplyanaccountnamesearchfilter,simplybegintypinginthenameoftheaccount,andif

myPasswordfindsapartialmatch,theactivityresultswilldynamicallyupdatebasedonthe

charactersastheyaretypedin.

DN (Distinguished Name)

ThiscolumnfiltersactivitydatabasedontheDN(DistinguishedName)oftheaccountthat

performedanaction.BeawarethatcertainactivitywillonlydisplaytheNamingContext,and

notthefullDN,oftheaccountthatperformedtheaction.ToselectanaccountDN,clickthe

magnifyingglasstotherightofthefieldtoopentheobjectselectordialoguebox.Locateandclickonthedesiredaccount,andclickSelecttofiltertheactivityresults.

IP Address

ThiscolumnallowsyoutofilteractivitydatabasedontheoriginatingIPaddress.

User Agent

Thiscolumnwilldisplayinformationaboutthebrowserusedtoperformthepasswordaction.


30/64



Interface

Thiscolumnwilldisplaytheoriginatingtypeofdeviceusedtoperformthepasswordaction.

PossiblevaluesincludeDesktop,MobileorTablet.

Start and End Date

ClickthecalendariconintheDateentryboxtodisplaytheCalendarobject.Selectadatefrom

thiscalendartodisplayallactivitiesforadefinedstartandenddate.Thefilterdefaultstothe

last30daysofactivity.

Activity Report

TheActivity ReportviewdisplaysastaticfilteredlistofmyPasswordactivitiesindescendingdate

order.Thereportincludestheappliedfilter(s)andanactivitysummary,followedbyadetailed

breakdownofuseractivity.

Action Type

Clickthedropdowntodisplayallactiontypesavailable.Placeacheckintheboxnexttothe

actionoractionsyouwishtoincludeinthefilteredresults.


31/64


32/64



Activity Summary Report

TheActivity Summary Reportviewshowsastaticsummary,withcorrespondingpiegraph,ofall

myPasswordactivityforadefinedtimeperiod.

Settings Change Report

TheSettingsChangeReportdisplaysanysettingsthathavebeenmodifiedwithinmyPasswordfor

adefinedtimeperiod,listingtheoriginalvalueandthenewvalueforeachsetting.Thefirstpageof

thereportdisplaysasummaryandfollowswithabreakdownofchanges.


33/64



Start and End Date

ClickthecalendariconintheDateentryboxtodisplaytheCalendarobject.Selectadatefrom

thiscalendartodisplayallactivitiesforadefinedstartandenddate.Thefilterdefaultstothe

last30daysofactivity.

Report Options

Oncethereporthasbeengenerated,youcannavigatethroughthepagesofthereportby

usingthearrowkeys.Youmayalsoexpandorshrinkthereportdisplaysizebyusingthezoom

dropdown.

Toexportthegeneratedreport,selectthedesiredformatfromthedropdownlist.Currently

availableformatsareExcel,PDFandWord.

DB Maintenance

TheDB(database)MaintenancescreendisplaysSQLdatabaseinformationandstatus,andallows

youtopurgeuseractivityfromtheSQLdatabase.


34/64



ClickPurge Recordstomarkanyrecordspriortothedefineddateasinactive.Youwillbe

promptedtoconfirmtherecordswillbepurged.

ClickYes – Purge Records tomarkallselectedrecordsasinactive.


35/64



Accessing myPassword

Access MethodsSeveralaccessmethodsareavailablewithmyPassword,includingNormal/Kiosk,MobileWebApp,

WebFrontEnd,ReturnURLandAutoClose.Anyoftheseaccessmethodsmaybesetwith

additionalURLargumentsanddirectlylinkedentrypages.Thebehaviorandbuttontextof

myPasswordwillvarydependingonthemethodinuse,andwhichentrypagetheuserfirst

accesses.

From the Windows Logon Form

myPasswordprovidesbothGINA-enabledandGINA-freemethodsofallowinguserstoaccess

myPassworddirectlyfromtheirWindowsLogonForm.

NOTE: AGINA(GraphicalIdentificationandAuthentication)isaDLLthatispushedoutto

eachworkstationandmodifiestheuser’slogonform ,providingapromptanda

directaccesslinktomyPassword.ThemanagementoftheGINAmethodisnot

consideredtobeabestpracticebyMicrosoft.However,itispreferredincertain

environments,soweprovidebothGINA-enabledandGINA-freemethods.Both

methodsarecompatiblewiththeProfileValidatortool.

GINA-free access

TheGINA-freeaccessmethodcombinesaRestrictedAccessAccountwithaWindowsLogon

Formpromptmessage.

ARestrictedAccessAccountisawell-knownaccountthatanyonecanusetologon,butwhich

hasverylimitedaccess.Usingthismethod,auserlogginginwithaRestrictedAccessAccount

istakendirectlytothemyPasswordsite,withoutbeinggrantedadditionalaccesstoanylocal

filesorresourcesonthePCorotherwebsites.

TocomplementtheRestrictedAccessAccountmethod,Namescapealsoprovidesameansto

includeacustommessagepromptatthetopofeachuser’slogonscreen,remindingthemto

usetheRestrictedAccessAccountshouldtheyforgettheirpassword.

TheGINA-freeaccessmethodprovidesanumberofadvantagesovertheGINAmethod,

includingcentralizedmanagementandeliminatingpotentialconflictsthataGINA.DLLmaycreate.

Formoredetails,see:

Installation– myPasswordRestrictedAccessAccount.pdf

Installation– myPasswordWinLogonPrompt.pdf


36/64



GINA-enabled access

ThemyPasswordGINAwillmodifythelogonscreenusingacustomGINA.dllinstalledonevery

workstation,andwillprominentlyplaceacustomizablemessageandlinktothemyPassword

website.

Formoredetails,see:

Installation– myPasswordGINA.pdf

Outlook Web Access Logon Page

AlinktomyPasswordcanbeaddedtotheOutlookWebAccess(OWA)Logonpage,granting

remoteusersaccesstomyPassword.Usingthismethod,theReturnURLisconfiguredtoreturn

theusertotheOutlookWebAccessLogonpageuponcompletionofapasswordmodification

orinactivitytimeoutinmyPassword.

Formoredetails,seeAppendixA– AddingamyPasswordLinktotheOutlookWebAccess

LogonPage.

Company portal or web page

AdirectlinktomyPasswordcanbeaddedtoacompanyportalorwebpage,grantingremote

usersaccesstomyPassword.Usingthismethod,theReturnURLisconfiguredtoreturnthe

usertotheoriginatingportalorwebpageuponcompletionofapasswordmodificationor

inactivitytimeoutinmyPassword.

Web Front End\Public internet access

ThestrongsecurityfeaturesofmyPasswordmakeitsuitableforpublicavailability.Whenusing

theexternallyfacingWebFrontEnd,asimpleclientisinstalledonanIISserverlocatedinyour

DMZ.Thisclientisthenconfiguredtosecurelycommunicatewithaninstanceofthe

myPasswordProxyServerservicethatisdeployedonaninternalinstallationofmyPassword.

Thisarchitectureallowsforsecurepasswordmodifications,withoutthefearofexternally

exposingyourActiveDirectory.TheNormal/KioskAccessMethodisusedwhenmyPasswordis

publiclyaccessible,andtheuserisreturnedtotheentrypageuponcompletionofapassword

modificationorinactivitytimeout.

Dedicated kiosk

Adedicated,centrallylocatedworkstation,orKiosk,withaccesstomyPasswordisasolution

manycompaniesfinddesirable.Inthisscenario,theNormal/KioskAccessMethodisused,

andtheuserisreturnedtotheentrypageuponcompletionofapasswordmodificationor

inactivitytimeout.


37/64



Shared console

Ausermaysimplygotoaco-workerormanager’sworkstationtoaccessmyPassword,which

maybepreferrediftheVoucherfeatureisenabled.

Mobile access

myPasswordalsoincludesawebappdisplaymode,allowingusersonsmartphonesortablets

toperformanyofthestandardmyPasswordoperationsinasmaller,mobiledevicefriendly

format.ThewebappiscreatedalongsidethenormalmyPasswordsiteduringinstallationand

doesnotrequireadditionalconfiguration.WhenauseraccessesthemyPasswordsitewitha

smartphoneortabletdevice,thedevicetypewillbeautomaticallydetectedandtheuserwillbe

showntheappropriateview.Becausethisisawebapp,andnotanativemobileapp,nofurther

installationorconfigurationonthemobiledeviceisrequired.


38/64



Entry PagesTherearefivepossibleentrypagesformyPassword.ThemainmenupageisthedefaultEntryPage

whenthebaseURLformyPasswordisused.Forexample:

///myPassword

Theremainingfourpossibleentrypageseachrepresentoneoftheprimaryfeaturesfoundonthe

mainmenupage.

Main Menu Page

IftheChangePassword,PasswordReset,UnlockAccount,andPasswordProfileEditfeatures

areallenabled,usersaccessingthemainpageofmyPasswordwillseethechoicesshown

below.


39/64



SelectingChange my Password,Reset my Password,Unlock my Account,orEdit my Profile

directstheuser,respectively,tothepagesbelow:

///myPassword/PasswordChange.aspx

///myPassword/PasswordReset.aspx

///myPassword/AccountUnlock.aspx

///myPassword/EditProfile.aspx

Ifenabled,eachofthesepagescanalsobeaccesseddirectly.Whenaccesseddirectly,these

pagesareconsideredtheEntryPageforthatuser,ratherthanthemainpage.

Access Modes and ArgumentsTherearethreeAccessModesthatmodifythebehaviorofmyPasswordoncompletionofa

passwordmodificationorinactivitytimeout.Eachmodewillhaveuniquetextdisplayedonthe

Timeout/Returnbutton,asdescribedbythetablebelow:

Access Mode Action on Completion or Timeout Timeout/Return Button Text

Normal/Kiosk ReturntoEntryPage ReturntoNow

ReturnURL ReturnstoURLspecified ReturntoNow

AutoClose CloseBrowser ReturntoWindowsLogonNow

Inallmodes,theCancelbuttonreturnstheusertotheirrespectiveentrypage.

Normal/Kiosk

NormalorKioskisthedefaultaccessmodeusedwhenadditionalURLargumentsarenot

passedintotheEntryPage.

Inthisaccessmode,theuseralwaysreturnstotheirrespectiveentrypagewhenthe

Timeout/Returnbuttonisclicked,anactioniscompleted,oraninactivitytimeoutoccurs.The

Timeout/Returnbuttontextappearsasoneofthefollowingdependingontheentrypagefor

thatuser:

ReturntotheMainMenu

ReturntothePasswordResetPage

ReturntotheChangePasswordPage

ReturntotheUnlockAccountPage

ReturntotheProfileEditPage

http://server/myPassword/PasswordReset.aspxhttp://server/myPassword/PasswordReset.aspx


40/64



ReturnURL

TheReturnURLAccessModeisenabledbypassingina‘ReturnURL’argumentthatspecifiesa

URLtoreturntowhenanactioniscompletedoraninactivitytimeoutoccurs.Thismodeis

intendedforusewhenmyPasswordislaunchedfromanotherwebpage,suchastheOutlookWebAccess(OWA)LogonPageoracompanyportal.Anoptionalargument

‘ReturnPageName’mayalsobeaddedtocustomizethetextontheTimeout/Returnbutton.

Forexample,theURLspecifiedmightbe:

OWA Return

///myPassword?ReturnURL=https://mail.acme.com/exchange&ReturnPageName=OWALogon

Company Portal Return

///myPassword?ReturnURL=http://portal.acme.com&ReturnPageName=ACMEPortal

InthisAccessMode,theuserwillalwaysreturntotheURLspecifiedbytheReturnURL

argumentwhentheactioniscompletedoraninactivitytimeoutoccurs.

TheTimeout/Returnbuttontextdisplays‘ReturntoNow’,whereiseitherthevaluespecifiedbythe‘ReturnPageName’argument,or‘HomePage’if

the‘ReturnPageName’argumentisnotspecified.

NOTE: TheReturnPageNameshouldbeshort(


41/64



Using myPassword

ToaccessthemyPasswordsiteonceitisconfigured,entertheURLformyPasswordintoabrowser.Forexample,ifmyPasswordisinstalledasavirtualdirectoryunderthedefaultwebsiteon

aserver,thentheURLtoaccessmyPasswordwouldbeasfollows:

http:///myPassword

ThesameURLisusedforbothNormal/KioskandMobileviews.ThemyPasswordsitewill

automaticallydisplaytheappropriateviewbasedonthedetecteddevicetype.

NOTE: ThefollowingscreenshotsaretakenintheNormal/KioskandMobileAccessmodesusing

theMainMenuastheEntryPage.

Main PageIftheChangePassword,PasswordReset,UnlockAccount,andPasswordProfileEditfeatures

areallenabled,thenusersaccessingthemainpageofmyPasswordwillseethechoices

shownbelow.


42/64



CaptchaIfenabled,auserwillbepresentedwithaCaptchapagepriortoenteringanypersonalinformation.

Onthispage,acaptchawillbegeneratedthattheusermustcorrectlytypeintotheboxbeforethey

areallowedtoproceed.Iftheuserisunabletoreadthedisplayedcaptcha,theymayclickonthepicture,andanewonewillbegenerated.

NOTE: Captchasupportisonlyavailablewhenusingthedesktoporwebfrontendclients.


43/64



Reset my PasswordWhenauserselectsReset my Password,orotherwiselandsonthePasswordResetpage,

theyarepresentedwiththelogonpageshownbelow.Onthispage,usersareaskedtoenter

theirWindowsaccountname.

Denied Access Pages

Afterenteringtheirlogonname,usersaredeniedaccesstomyPasswordifeitherofthe

followingconditionsexists:

1) TheuserisnotallowedaccessbythemyPasswordAccessRoles,or

2)

TheuserhasnotfilledintheirPasswordResetProfileinrDirectoryandtheAllow

ResetwithoutProfileifVouchedForoptionisnotchecked.

IftheuserisdeniedaccessbasedonmyPasswordAccessRoles,theywillbepresentedwith

anaccessdenieddialogueandwillnotbeallowedtoproceed.


44/64



IftheuserhasnotfilledintheirPasswordResetProfile,andtheVouchingoptionisnotenabled

forusersthathavenoprofile,theerrormessagebelowisshown:

Voucher Pages

Afterprovidingtheirlogonname,avoucherisrequiredifeitherofthefollowingtwoconditions

exist:

1)

TheuserdoesnothaveaPasswordResetProfile,andavoucherisallowedasan

alternatemeansofvalidatingtheuser’sidentity.

2) TheuserhasaPasswordResetProfile,andavoucherisrequiredasanadditional

meansofvalidatingtheuser’sidentity.


45/64



IftheuserhasnoPasswordResetProfile,andavoucherisrequired,theuserwillseethe

screenbelow:

Themessagefield(‘Youarevouchingfor:username)canbemodifiedbyeditingtheassigned

headerfileassociatedwithavoucherrule.Forexample,ifyouhadarulethatrequiredauser’s

managertovouchforthem,thatrulemightalsospecifyaheadermessagesuchas‘AManager

mustvouchforyoubeforeyourpasswordcanbereset’.

Eachvoucherrulemayalsospecifytherolesofthosewhoareallowedtovouchforagivenuser.If

thevoucherisnotauthorizedforthegivenuser,thefollowingscreenappears:


46/64


47/64



Reset Password Page

AfterallPasswordResetProfilequestionshavebeenansweredcorrectlyand/ortheuserhas

beensuccessfullyvouchedfor,theuserwillbeallowedtoresettheirpassword.Theusercan

begiventheoptiontoeithermanuallyenteranewpassword,orgenerateapasswordautomatically.Additionalconfigurationoptionsmayallowonlyageneratedpasswordand/or

forcetheusertochangetheirpasswordatnextlogon.

Asapasswordisentered,thepasswordstrengthmeterwilldisplayWeak, Average, Strongor

Excellent,dependingonthecomplexityofthepassword.Ifyouwouldliketoautomatically

createarandompasswordinsteadofmanuallyenteringone,selecttheGenerate option.Each

timetheGeneratebuttonisclicked,anewpasswordwillbegenerated.

Onceanappropriatepasswordhasbeenentered,clicktheSubmitbuttontoacceptthenew

password.


48/64



Unlock my AccountWhenauserselectsUnlock my Account,orotherwiselandsontheAccountUnlockpage,they

arepresentedwiththesamesetofpagesthatappearwhentheyselecttheReset my

Passwordoption.ThesepagesincludeLogon,Vouch(ifapplicable),oraQuestion/Answerprofile(ifapplicable).However,onceauserisauthenticated,theywillbeshownthefollowing

AccountUnlockpageratherthantheResetPasswordPage.

Forsecurityreasons,thelockedstatuswillnotbepresenteduntiltheaccounthasbeen

authenticatedbyeitheransweringtheassociatedprofilequestionsorvouchedforbyan

authorizeduser.


49/64



Change my PasswordWhenauserselectsChange my PasswordorotherwiselandsonthePasswordChangepage,

theyarefirstpresentedwiththeLogonpage.Onthispage,usersentertheirWindows

credentialsinordertochangetheirexistingpassword.

Becausetheusermustprovidevalidcredentialstochangetheirpassword,vouchingisnot

availableonthispage.ConfiguredmyPasswordAccessRoles,however,willstillapplyand

accountsnotauthorizedtousemyPasswordwillbepresentedtheDeniedAccessmessage.

Mandatory Profile Completion on Password Change

IfauserhasnotfilledoutaPasswordResetProfile,theywillbeforcedtodosobefore

proceedingtotheChangePasswordpage.Thisimprovedflowguaranteesaprofileiscreated

foruserswhodonothaveaccesstoacomputerwheretheprofilevalidatorisinstalled,and

simplifiestheonboardingprocesswhenfillingoutapasswordprofileisdesired.


50/64



Edit my ProfileWhenauserselectsEdit my ProfileorotherwiselandsontheEditProfilepage,theyarefirst

presentedwiththeLogon page.Onthispage,usersarerequiredtoentertheirWindows

credentialsinordertoedittheirpasswordprofile.

Onceauthenticated,theuserwillbepresentedwithalistofquestions,asrequiredbytheassigned

PasswordProfilePolicy.Asingle,globalPasswordProfilePolicymaybeconfiguredforallusers,or

multiplePasswordProfilePolicyRulesmaybecreatedintheNamescapeDesignerandassigned

todifferentgroupsofusersasdesired.

Afteranswershavebeenprovidedandanycustomquestionsdefined,clickSubmit tocreatethe

PasswordResetProfileandreturntothemainmenu.


51/64



Enforcing Enrollment

InadditiontoforcingenrollmentintheChange my PasswordfeatureofmyPassword,thereareanumberofothermethodsavailablethatmaybeusedtopromptausertocreateaPasswordReset

Profile.

On rDirectory accessByusingtheintegratedEnforceProfileValidationfeatureswithinrDirectory,userscanbe

requiredtofillintheirPasswordResetProfilewhentheyaccesstherDirectorysite.Thisfeature

mayalsoenforcedatavalidationrulesforotherattributes,includingthosewithmalformedor

otherwiseincorrectdata.

FormoredetailsontheEnforceProfileValidationfeature,pleaseseetherDirectoryonlinehelp.

On Logon with ProfileValidator.exeTheProfileValidator.exetoolisdesignedtoexecuteautomaticallyduringlogonandrequest,or

optionallyrequire,theusercompleteorcorrectdataintheirPasswordResetProfile.

IfonlymyPasswordisinstalled,theProfileValidator.exewillcheckforanemptyPasswordReset

Profileandrequirethatitbecompletedatlogon.

IfrDirectoryisinstalledandlicensedinadditiontomyPassword,theProfileValidator.execanbe

configuredtoleveragetheEnforceProfileValidationfeatureandrequiretheusertocertifyor

validatevirtuallyanyattributeassociatedwiththeirActiveDirectoryaccount.SeeInstallation and Setup myPassword Optional Features.pdfinthedocumentationfolder

fordetailsconfiguringanddeployingthistoolviaGPOpolicies.


52/64




53/64



Appendix A: Customizing myPassword

CustomizingmyPasswordhaschangedsignificantlyfrompreviousversionsoftheproduct.The2.x

and3.xversionsofmyPasswordalloweddirectaccesstotheunderlyingHTML.In4.xversionsof

theproduct,thisisnolongerpossibleasallcontentisdynamicallygenerated.Thismeanscertain

customizationoptionsavailablepreviouslymaynotbepossiblewithouttheassistanceof

NamescapeProfessionalServices.

NOTE: myPasswordcustomization/trainingisnotincludedaspartofthestandardproductsupport

package.ProfessionalServicesareavailableforpurchaseifadditionalassistancebeyond

thisdocumentationisrequired.

Client CustomizationAlimitednumberofstyleswithinmyPasswordarecustomizablebyanadministratorthroughthe

NamescapeDesigner,orbymodifyingfilesintheinstallationdirectory.

ThelookofthemyPasswordclientisbasedonthecurrentlydefinedtheme,locatedinthe

\myPassword\App_Themesdirectory.Eachselectablethemewillhaveacontentssubfolder

containingitsownuniquesetoffilesandimages.

ThemyPassword.css fileineachthemefolderdefinesmajorCSSclasseswhichcontrolstyles

suchasbackgroundcolor,font,andelementsofthemainmenupage.Inmostcases,selectingan

existingthemeintheNamescapeDesignerandthenmodifyingthemyPassword.cssfileshould

achievethedesiredeffect.

NOTE: ThemyPassword-all.css fileisaminifiedversionofallstylesnecessaryforthebase

componentsoftheapplication.EditingthisCSSfileisnotrecommended,andisnot

supportedbyNamescape.

IftheonlycustomizationdesiredisreplacingthemyPasswordlogowithyourownbrandedlogo,

simplyrenameyourcustompngimagetomyPassword.png andreplacetheexisting

myPassword.png fileintherootofthemyPasswordwebsitedirectory.


54/64



Themes

ThemajorityoftheCSSthatcontrolsthelookandfeelofmyPasswordispartofapredefined

theme.ThecurrentlyselectedthemecanbechangedintheNamescapeDesignerunder

myPassword|General|Appearance.Changingathemewillalterthecolorsofallelementswithin

theclient,butwillnotaffecttextorthelogographic.

NOTE: Ifyouareunabletoachieveadesiredlookwiththeoptionsprovided,Namescape

ProfessionalServicesareavailableforpurchasetoassistyouwithcreatingacustomtheme

tofityourneeds.

Use Classic Dialogue Style

Inadditiontoselectingatheme,youalsohavetheoptiontomakedialogueboxesappearsimilarto

thoseinpreviousversionsoftheproduct.Byenablingthissetting,thedialogueboxeswillappear

withathinnerborderandhavesquaredcorners,ratherthanrounded.


55/64



Adding a myPassword link to the Outlook Web Access

Logon Page

NOTE: CustomizingtheOutlookWebAccess(OWA)LogonScreenmayrequireadvanced

customizationtechniquesnotincludedinthisdocument.ProfessionalServicesare

availableforpurchaseifadditionalassistancebeyondthisdocumentationisrequired.

TheproceduresincludedinthisdocumenthavebeenconfirmedtoworkwithOutlook2003

andOutlook2007.

Bydefault,theOutlookWebAccesslogonscreenshouldlooksimilartothepicturebelow:


56/64


57/64



For Outlook Web Access 2003:

Replacethe[myPasswordURL]withtheURLofyourmyPasswordwebsiteandreplacethesection

[OWAURL]withtheURLofyourOWAwebsite.

Example:

Replace:With:

NOTE: Theabovechangeadds3rowstotheHTMLtableandputsthemyPasswordlinkin

themiddlerowinthecenter.


58/64



For Outlook Web Access 2007

Highlightthe,andinthefile,asshownbelowinthefirstfigure.Thisisright

belowandrightaboveofthelogon.aspxfile.

Replacethehighlightedsectionwiththis:

Forgotyour

password?ClickheretoresetusingmyPassword.

4. Oncetheversionappropriatechangeshavebeenmade,savethefileandtestbyreloading

theOutlookWebAccesssite.


59/64



YoushouldnowseeanewmyPasswordlinkdisplayedbelowthepasswordentryfieldonthe

logonpage.Itwilllooksimilartothis:

OWA 2003

OWA 2007


60/64



Redirecting the IWA failed logon page to the myPassword

siteThissectionofthedocumentdescribeshowtoredirectuserstothemainmyPasswordsiteinthe

eventofafailedlogonfromanywebsiteusingIntegratedWindowsAuthentication(IWA),including

SharePoint.

1.

UsingNotepad,editthe401-1.htmfile,bydefaultfoundunder:

C:\Inetpub\custerr\en-US\

2. FindthefollowingsectionofHTMLmarkup:

Youarenotauthorizedtoviewthispage

Youdonothavepermissiontoviewthisdirectoryorpageusingthecredentialsthatyousupplied.

Pleasetrythefollowing:

3.

Modifytheelementtoincludeonload="redirect()">

onload="redirect()">

Youarenotauthorizedtoviewthispage

Youdonothavepermissiontoviewthisdirectoryorpageusingthecredentialsthatyousupplied.

Pleasetrythefollowing:

4. NowfindthefollowingsectionofHTMLmarkupatthebottomofthefile:


61/64



GotoMicrosoftProductSupport

ServicesandperformatitlesearchforthewordsHTTPand401.

OpenIISHelp,whichisaccessibleinIISManager(inetmgr),

andsearchfortopicstitledAuthentication,AccessControl,andAboutCustomErrorMessages.

5.

Insertthefollowinglinesrightafterandbefore

functionredirect(){

window.location="http://mp1";

}

Itshouldreadasfollows:

function redirect (){

window.location = "http://mp1;}

Where‘http://mp1’isreplacedwiththeURLofyourmyPasswordwebsite.

Example:

Replace:

window.location = "http://mp1";

With:

window.location = "http://[myPassword URL]";

6.

Savethefileandtest.


62/64



How to change the language in myPassword

NOTE: ThissectiondescribeshowtomanuallyconfigurethelanguagesupportinmyPassword.

TheproductshipswithGerman,SpanishandFrenchalreadytranslated.Forthose

languages,simplychangeyourbrowserlanguagesetting.

Inadditiontotheincludedlanguages,myPasswordmaybeconfiguredtodisplayanyothercustom

languagedesired.Namescapeisnotresponsiblefortranslationerrorsresultingfromthefollowing

procedure.

Setting up the directory infrastructure

Theexamplewewillusewilldemonstratehowtocreateasub-folderstructurefortheItalian

language.

1.

LocatetheResourcesfolder,locatedbydefaultat:

C:\inetpub\wwwroot\rDirectory\myPassword\Resources

2. Createanewfolderunderthe\Resourcesfoldernamed‘it’forItalian

3. Openthe\en-usfolderunder\Resourcesandcopyallthefoldersandfilestothenew\it

folder.

4. CopytheDefaultResource.xmlfromthe\Resourcesfolderandpasteitinthenew\itfolder

5. RenametheDefaultResource.xmlinthe\itdirectorytoResource.xml

6. Inthe\itfolder,opentheresource.xmlandchangetheitemkeyvaluethatcorresponds

withtheobjectthatyouwanttodisplayinItalian.

NOTE: UseextremecautionwhenmakingchangestotheResource.xmlfile.Ifthisfileismodified

incorrectly,thedesiredchangeswillnottakeeffectandmaycausefurtherproblemsforthe

pagedisplay.NamescapeSupportdoesnotincludeassistingwithcustomizations.


63/64



ThefollowingeditswillchangetheProductDescriptiontext:

Before

Self-ServicePasswordManagement

After

Self-Serviceparolad'ordinegestione

7.

RestartIIS

8. Changethelanguageinyourwebbrowserto‘it’forItalian

9. LaunchthemyPasswordwebsite.TheproductdescriptionshouldnowdisplaytheItalian

text.

Bymodifyingthekeyvaluesintheresources.xmlfile,youcanchangeanytextforalanguage

specificpagethatistriggeredbythebrowserdefaultlanguagesettings.


64/64


mypassword administrator's guide enterprise

Documents