Reference Material | Migrating to Specops uReset 8.0

Migrating from Specops Password Reset

Introduction

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops Password Reset (SPR) into uReset 8 and above. This allows SPR users to authenticate with O365, and manage password resets, with their existing SPR enrollment. 

Pre-migration 

  • Verify that users know their UPN (email format) names. To align with the standards used in Cloud solutions, older style usernames are not supported. 

Notes: 

  • Rather than using “sAMAccountName” to identify users, Specops Authentication uses “User Principal Name” (UPN). It is recommended that the UPN is consolidated to match user’s email addresses. This makes it easier for users to remember their UPN during authentication. 
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool. 
  • The migration tool can only migrate Mobile Code and Questions and Answers. In order to migrate these across, you must have these identity services configured in your uReset 8 group policy.  

 

Before you get started, you must meet the following requirements for a successful migration: 

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured. 
  • The scope where the SPR enrollment data resides, must be inside the Specops Authentication scope of management. 
  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from SPR.
  2. Click Next. 
  3. Select the Active Directory scope containing the SPR user enrollment data that you want to migrate across. For example: you might select the Users Organizational Unit, if it contains all the users you want to migrate.  
  4. Click Add and the scope will appear in the Selected Scopes box.  
  5. Click Next.  
  6. Select your migration options:  
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from SPR. Leaving this unticked will not update these users’ enrollments. 

     

    • Halt execution on errors: If you select this option, the migration will be stopped as soon as an error occurs. If this is left unselected, the migration will continue until all users have been migrated. Any errors will be visible in the Event Log in the Gatekeeper afterwards.

     

     

    • Specify the Active Directory attribute name that is used to store mobile numbers of users that exist.  

     

    Tip: If you do not want the mobile data to be migrated across from SPR to Specops Authentication, you can specify an attribute that is not used instead, and the mobile data will be omitted.  

  7. Click Next. 
  8. Your pre-migration overview will be displayed, such the number of users, enrollments, and the Active Directory scope you have selected.  
  9. Click Next. 
  10. Your post-migration overview will be displayed. Click Finish. 
  11. Click Finish to start the migration. 

Note: The migration wizard will appear in the Authentication Gatekeeper Admin tool user interface if the SPR service connection point exists in Active Directory. To remove the Migrate from SPR button from the interface, run the following command in PowerShell, and remove the listed objects from Active Directory. 

Get-ADObject -LDAPFilter “(&(objectCategory=serviceConnectionPoint)(name=Specops Password Reset))” |remove-adobject 

 

Post-migration checklist 

  • Ensure that the authentication policy for password resets in Specops Authentication matches the authentication policy used in SPR. 

Install the Specops Authentication Client (version 7.12.18107.4 or later). 

 

Migrating from Specops uReset 7.x

Introduction

This guide provides you with the necessary steps to migrate from Specops uReset 7.12 and earlier, to Specops uReset 8.0 and above. 

Specops uReset 8.0 is an upgrade for Specops uReset 7.12, and comes with several improvements and new features. Unlike previous uReset upgrades, you cannot simply click the Check for new version link in the Specops uReset Administration tool and apply these changes, as Specops uReset 8.0 is an entirely new platform. To upgrade, you must:

  • Sign up for a Specops Authentication account.  
  • Install and configure the Specops uReset 8.0 platform. 
  • Migrate your user and enrollment data across to Specops uReset 8.0 

Why should you upgrade to the new platform?  

Although Specops uReset 8.0 performs the same job as Specops uReset 7.12, it comes with several new features and enhancements. These are as follows:  

  • Support for data encryption at rest.
  • Double encryption (user passwords are now encrypted from browser to Gatekeeper)   
  • Multi-Gatekeeper support for fail over/redundancy. 
  • Enhanced auditing/reporting capabilities. 
  • Works with Specops Password Blacklist, for real-time leaked password feedback during password change/reset. 
  • Support for Efos as an identity service (only available in Sweden).
  • Integrates with our new multi-factor authentication (MFA) platform for Office 365. 
  • Manager ID is only performed remotely. This includes support for multi-factor authentication when managers sign in to verify user authentication requests.
  • New language support: Japanese, Portuguese, and Simplified Chinese.

New Features, changes and improvements 

This section highlights the differences between the two platforms. Certain elements have changed entirely and some have simply been moved and/or renamed. 

URLS 

The URLs in Specops uReset 8.0 differ from those found in Specops uReset 7.12.  

Specops uReset 7.12 uses www.ureset.com (NA) and the login.ureset.com (EU). These URLs have been deprecated and each uReset web link now has a corresponding URL under login.specopssoft.com (NA) and eu.login.specopssoft.com (EU) instead.   

Note: The following screenshots are from environments hosted in North America.  

URLs in Specops uReset 8.0: 

The following URLs are found under the Gatekeeper tab in the Specops Authentication Gatekeeper Admin tool: 

  • Admin Pages: This URL takes you to the administrative pages. Admins can configure various parts of the system. This includes: 
    • Configuring enrollment/admin policies. 
    • Configuring identity services. 
    • Creating and deleting accounts. 
    • Customizing parts of the Specops uReset 8.0 user interface. 
    • Adding and removing Gatekeepers. 
  • Enrollment: This URL takes you to the Enrollment page, where you must enroll in order to access the administrative pages, user management pages, and uReset.  
  • User Management: This URL takes you to the User Management page, in which you can search for users, reset their passwords, and use uReset identity services to authenticate users. Helpdesk has replaced User Management in uReset 8.0.

The following URLs are located under the uReset tab in the Specops Authentication Gatekeeper Admin tool: 

  • Reset Password: This URL takes you to a page in which you can reset your password.  
  • Change Password: This URL takes you to a page in which you can change your password.  

URLs in Specops uReset 7.12 

In Specops uReset 7.12, the URLs are located under the uReset Gatekeeper tab, in the Specops uReset Administration tool.  

Security Groups 

Security groups in Specops uReset 8.0: 

Specops uReset 8.0 comes with new admin and user management related groups, that do not exist in Specops uReset 7.12. When you install Specops uReset 8.0, three new global groups are automatically created in your Active Directory. These groups fall under a single Security Groups category. You can edit the members of these groups directly in the Specops Authentication Gatekeeper Admin tool, by clicking the Active Directory Settings tab.  These are as follows:  

  • Admin group: All admins are listed in this group.  
  • User admin group: All user admins are listed in this group.  
  • Gatekeepers group: Your gatekeeper service account(s) are listed in this group.  

Note:  The uReset ‘helpdesk’ has been renamed ‘User Management’ in Specops uReset 8.0. 

Security groups in Specops UReset 7.12: 

In Specops uReset 7.12, the various security groups are located under the Policies and Groups tab, in the Specops uReset Administration tool, and are separated out into different categories (Active Directory Settings, Helpdesk users, Administrators). 

Policies 

Policies in Specops uReset 8.0 

In Specops uReset 8.0, policies are tagged in the Specops Authentication Gatekeeper Admin tool (on premises component) but configured in Specops Authentication Web (cloud component). 

Note: You can use the same GPOs in Specops uReset 8.0, that you used in Specops uReset 7.12. To tag a GPO: 

  1. Open the Specops Authentication Gatekeeper Admin tool.
  2. Click the uReset tab.
  3. In the GPOs tagged for uReset section, click the Tag GPOs link.
  4. Select a policy from the list.
  5. Click OK.
  6. The policy will appear in the list.  

Policies in Specops uReset: 7.12  

In Specops uReset 7.12, policies are configured in the Specops uReset Administrator (on premises component) and stored in SYSVOL.  

Customizing the uReset user interface 

You can customize various parts of the Specops uReset 8.0 landing page, in a similar fashion to that of Specops uReset 7.12. However, the parts of the UI that can be customized in Specops uReset 8.0 differ slightly to the parts that can be customized in Specops uReset 7.12. In Specops uReset 8.0, you can customize:  

  • The main logo in the top-left corner of the screen.  
  • The language of the text in the UI.  
    • The stylesheet: you can upload a custom CSS style sheet. You can change the color of the buttons and text to match your company’s corporate look and feel. The style sheet must be a Bootstrap 4 stylesheet.Various pieces of text/messages that users see and interact with, including:  
    • Enroll Completed Header 
    • Enroll Completed Message 
    • Enroll Edit Help 
    • Enroll Help 
    • Enroll Index Message 
    • Enroll Introduction Header
    • Enroll Introduction Message 
    • MFA Menu Message 
    • Password Complete Message 
    • Password Complete Secured Browser Message 
    • User Management Search Information 

Licensing  

Licenses are managed by the Specops team, which means a physical license key is not required.  You can create your customer account using a known domain/contact here.  The Specops team can then associate it with your existing Specops uReset 7.12  subscription license. 

Install Specops uReset 8.0

Before you can migrate your users and enrollments, you must download and deploy Specops uReset 8.0.  

  1. Download the ADMX template for Specops uReset 8.0 here. 
  2. Copy the ADMX template and the corresponding ADML file (you can find these in the c:\windows\policydefinitions) to the SYSVOl Central Store (if you want to make this available to more than one server) or copy it locally.  The settings in this client ADMX template tells both clients to continue using the Specops uReset 7.12 instead of automatically redirecting to Specops uReset 8.0.  This means you can continue using the old version unaffected, until you are ready to start migrating over.   
  3. Create a computer GPO and apply it to all computers that will have the Specops Authentication client installed, and configure the following settings under the ‘General Client Settings’ section of the template. This step is critical in ensuring that your workstation clients are not directed to uReset 8.0, before you have completed configuration and migration.
    • Set the Overridden Settings container to Enabled, and copy the distinctive name of the settings container from the uReset 7.12 Administration tool. The default location is under the System container in Active Directory. Example:  CN=Settings,CN=uReset,CN=Specops,CN=System,DC=demo,DC=local
    • Specify uReset as the reset system.
  4. Verify that the policy is being correctly applied to your client computers.
  5. Download the latest Specops Authentication client, here.
  6. Deploy the Specops Authentication client to all of your client computers. Older versions of the Specops Authentication or Specops uReset client will be replaced automatically.
  7. Install Specops Authentication. Installation instructions can be found here.

Note: When you copy the ADMX template to your chosen location, it will override the existing template.  

 

Perform the migration

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops uReset 7.12  into Specops uReset 8.0. This will allow uReset users to authenticate with O365, and manage password resets, with their existing uReset enrollment.

Pre-migration:

  • When migrating to Specops uReset 8.0, the platform hosting the datacenter will change from Microsoft Azure, to Amazon Web Services.
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool.
  • Stylesheets utilizing Bootstrap 4 will require an upgrade.
  • Auditing, reporting, and user statistics has been significantly improved in Specops Authentication. Existing statistics from www.ureset.com will not be migrated.

From the migration wizard, you can migrate enrollment data for the following identity services:

  • Facebook
  • Flickr
  • Google
  • Instagram
  • LinkedIn
  • Live
  • Mobile Code
  • Mobile Bank ID
  • Salesforce
  • Specops Fingerprint Authenticator
  • Specops/Microsoft/Google Authenticator
  • Symantec VIP
  • Questions & Answers (Security Questions)
  • Twitter

Note:

  • The Duo Security identity service does not require migration. If Duo Security is enabled in the policy, all affected users will be enrolled with Duo Security on Specops Authentication.

Before you get started, you must meet the following requirements for a successful migration:

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured.
  • The scope where the Specops uReset enrollment data resides must be inside the Specops Authentication scope of management.
  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from uReset.
  2. Click Next.
  3. Select the Active Directory scope containing the uReset user enrollment data you want to migrate to Specops Authentication, and click Next.
  4. Enable your migration options:
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from uReset. Leaving this unticked will not update these users’ enrollments.
    • Halt execution on errors: Stops the migration as soon as an error occurs. The migration must be restarted on errors. If this is left unticked, the migration will keep going until all users have been migrated. Any errors will be visible in the Windows Event Log on the Gatekeeper afterwards.
  5. Click Next.
  6. Your pre-migration overview will be displayed. To continue, click Next.
  7. Your post-migration overview will be displayed. Click Finish.
  8. Click Finish to start the migration.

You are now ready to direct your users to uReset 8.0.

  1. Remove the computer GPO created earlier with the settings container override setting – your Specops Authentication clients will now default to using the new version automatically.
  2. Update any bookmarked URLs or GPOs with URL Override settings.
  • Was this Helpful ?
  • Yes   No