Forefront Identity Manager - Credential Management, Part 4
This post talks about how client interacts with the server during the course of Self-Service Password Reset Registration and Reset. Majority of the information can be found from either client-side or server-side log. The implementation is subjected to change. If you were to develop a custom SSPR client based on the information below, please make sure what you do is supported.
Deep Dive into Self-Service Password Reset
Components and terminologies:
- Gate Framework (GF), client side unmanaged component. It handles the UI of varies gates and the password reset screen.
- PasswordProxy (Proxy), aka FIMPasswordReset, client side managed component. It acts as a proxy between Gate Framework and FIM Service.
- FIM Service
- Secure Token Service (STS), a component of FIM Service that issues tokens
Communication channels used:
- Between Gate Framework (GF) and PasswordProxy uses secured namepipe because GF is native and PasswordProxy is managed.
- Between PasswordProxy and FIMService/STS uses WCF with message security.
- Between FIMService and FIMSynchronizationService uses WMI.
Registration Sequence
- C:\Windows\System32\MsPwdRegistration.exe auto starts when user logon.
- It performs some housekeeping routines and call into GF to initiate the registration sequence.
- GF establishes a secured name pipe to Proxy.
- Proxy will then
- Lookup the user guid: /Person[Domain='...' and Account='...']
- Lookup all possible AuthN WFs that can be used by the user for SSPR
/MPR[Disabled=false && (PrincipalSet=Anonymous && ResourceCurrentSet=/Set[ComputedMember='user guid']) && ActionType='Modify' && ActionParameter='ResetPassword']/AuthenticationWorkflowDefinition - For each AuthN WF, determine if the user:
- Has registered or not (User.AuthNWFRegistered attribute).
- Is locked out or not (User.AuthNWFLockedout attribute).
- Return to GF with one of the value:
- Registration required, when one or more AuthN WFs is not registered.
- LockedOut, when user is locked out of one or more AuthN WFs.
- Registration Optional otherwise.
- If the return value is not Registration Optional, GF will display the Registration Welcome Screen.
- To register, Proxy sends a Put request to add the AuthN WF Guid to User.AuthNWFRegistered.
- This request will trigger the AuthN WF "System Workflow Required for Registration" caused by MPR "General workflow: Registration initiation for authentication activity" and Proxy will receive an AuthNRequiredFault.
- The AuthN fault contains the endpoint address of STS that the client needs to talk to to obtain a token.
- Proxy then relays message between GF and STS. STS will send a list of challenges (e.g. Q&A) and GF will display the questions and reply back with the answers that user inputs, etc etc.
- At the end of the challenge-response sequence with the STS, STS will issue a token indicating the User has passed the AuthN WF.
- Proxy then resumes the original request with the STS token.
- After that, the request goes through the normal AuthZ, Commit and Action phases.
Reset Sequence
- User clicks on the "Reset Password" link on the logon screen.
- Gina/Credential Provider calls into GF to initiate the reset sequence.
- GF establishes a secure channel with Proxy.
- Proxy sends a Put request which Modify User.ResetPassword attribute.
- This request will trigger the AuthN WF "Password Reset AuthN Workflow" caused by MPR "Anonymous users can reset their password" and Proxy will receive an AuthNRequiredFault.
- Proxy then obtains a STS token and resumes the request just like during registration.
- The request goes through the normal AuthZ, Commit and Action phases.
- During Action phase, it will kick off Action WF "Password Reset Action Workflow".
- This workflow will listen on an endpoint awaiting user to input their new password.
- Once the Password Reset Action Workflow receives the new password, it will, under the FIMService service account context, make a WMI call to the FIMSynchronizationService to perform a SetPassword.
- FIMSynchronizationService, under the AD MA account context, will talk to the primary domain controller (PDC) to reset the user password.
That's it. Feel free to leave me a message if you need clarification.