FIM 2010 R2 – Web-Based Password Reset, Part 3

FIM lets users reset their passwords only after authenticating them against answers to commonly asked security questions that they registered with.

One major complaint about FIM 2010's QA Gate implementation is that it does not allow ITPro to specify some sort of validation or policies on the answers. It's possible that users might enter "abc" for all questions and some believe that is a security concern. (In fact, I used to use 1 for my answers during testing because the keyboard sequence "1<tab>1<tab>1<tab>" is the easiest on the keyboard.)

QA Gate Enhancement

We heard your feedback loud and clear. Thus we are making a few changes to FIM 2010 R2, namely:

  1. Disallow duplicated answers
  2. Apply a custom regular expression on the answers for validation for all answers per gate

Below is a screenshot of the QA Gate Configuration from the workflow designer (aka BPM Designer)

How Does It Work?

Some of you might ask, "Wait, isn't the answer hashed in the client? How is this possible?" First, Congratulations and well done on knowing password reset in depth. 🙂

To achieve this validation on the server side, now the answers are sent to the server in un-hashed over a WCF channel protected with message-level encryption (Nothing is changed in the channel itself. We are just changing the payload at the application layer)

Special Notes

This check is only enforced during registration phase and the answers are still stored hashed in the database.

To make sure the policies are enforced by default, registration from FIM 2010 clients are disallowed. There is an option at the bottom of the configuration to let you run FIM in hybrid mode during the transitional upgrade period. In that case, FIM 2010 clients will be able to register and bypass the policies, while registrations originating from FIM 2010 R2 clients will have the policies enforced.

Comments (3)
  1. AnthonyHo says:

    In theory, yes. Not too much i can talk about that here. Please contact Microsoft support and tell them u are interested in "programmatic registration"

  2. Hi AnythonyHo,

    Many thanks for the invaluable series of FIM 2010 Web-based SSPS.

    My customer has approximately 500 users working on a SharePoint 2010 application. They also publish SharePoint to Extranet through out Forefront TMG 2010. The users often forget password so the customer is looking for a solution called "Self-service Password Reset". Additionally, once a user does a password reset, an email will be automatically sent information to that user. I know FIM 2010 R2 fits this scenario very well. However, I would be considering about SSPS customization based on .NET instead of deploying FIM. By the way, the customer is not using Microsoft Exchange.

    Can you suggest a little bit about this real-world scenario when we don't have Microsoft Exchange. Could the cost of customization be less than FIM deployment?

    I look forward to hearing from your thoughts?

    Many thanks and Best regards,


  3. Reid says:

    Can the answers be pre-populated from a third party HR database such as Dynamics or Great Plains?

    Then once the user is enrolled, they could select questions they wish to use.

Comments are closed.

Skip to main content