Reference Material | Migrating to Specops uReset 8.0

Migrating from Specops Password Reset

Introduction

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops Password Reset (SPR) into uReset 8 and above. This allows SPR users to authenticate with O365, and manage password resets, with their existing SPR enrollment. 

Pre-migration 

  • Verify that users know their UPN (email format) names. To align with the standards used in Cloud solutions, older style usernames are not supported. 

Notes: 

  • Rather than using “sAMAccountName” to identify users, Specops Authentication uses “User Principal Name” (UPN). It is recommended that the UPN is consolidated to match user’s email addresses. This makes it easier for users to remember their UPN during authentication. 
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool. 
  • The migration tool can only migrate Mobile Code and Questions and Answers. In order to migrate these across, you must have these identity services configured in your uReset 8 group policy.  

 

Before you get started, you must meet the following requirements for a successful migration: 

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured. 
  • The scope where the SPR enrollment data resides, must be inside the Specops Authentication scope of management. 
  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from SPR.
  2. Click Next. 
  3. Select the Active Directory scope containing the SPR user enrollment data that you want to migrate across. For example: you might select the Users Organizational Unit, if it contains all the users you want to migrate.  
  4. Click Add and the scope will appear in the Selected Scopes box.  
  5. Click Next.  
  6. Select your migration options:  
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from SPR. Leaving this unticked will not update these users’ enrollments. 

     

    • Halt execution on errors: If you select this option, the migration will be stopped as soon as an error occurs. If this is left unselected, the migration will continue until all users have been migrated. Any errors will be visible in the Event Log in the Gatekeeper afterwards.

     

     

    • Specify the Active Directory attribute name that is used to store mobile numbers of users that exist.  

     

    Tip: If you do not want the mobile data to be migrated across from SPR to Specops Authentication, you can specify an attribute that is not used instead, and the mobile data will be omitted.  

  7. Click Next. 
  8. Your pre-migration overview will be displayed, such the number of users, enrollments, and the Active Directory scope you have selected.  
  9. Click Next. 
  10. Your post-migration overview will be displayed. Click Finish. 
  11. Click Finish to start the migration. 

Note: The migration wizard will appear in the Authentication Gatekeeper Admin tool user interface if the SPR service connection point exists in Active Directory. To remove the Migrate from SPR button from the interface, run the following command in PowerShell, and remove the listed objects from Active Directory. 

Get-ADObject -LDAPFilter “(&(objectCategory=serviceConnectionPoint)(name=Specops Password Reset))” |remove-adobject 

 

Post-migration checklist 

  • Ensure that the authentication policy for password resets in Specops Authentication matches the authentication policy used in SPR. 

Install the Specops Authentication Client (version 7.12.18107.4 or later). 

 

Migrating from Specops uReset 7.x

Introduction

This guide provides you with the necessary steps to migrate from Specops uReset 7.12 and earlier, to Specops uReset 8.0 and above. 

Specops uReset 8.0 is an upgrade for Specops uReset 7.12, and comes with several improvements and new features. Unlike previous uReset upgrades, you cannot simply click the Check for new version link in the Specops uReset Administration tool and apply these changes, as Specops uReset 8.0 is an entirely new platform. To upgrade, you must:

  • Sign up for a Specops Authentication account.  
  • Install and configure the Specops uReset 8.0 platform. 
  • Migrate your user and enrollment data across to Specops uReset 8.0 

Why should you upgrade to the new platform?  

Although Specops uReset 8.0 performs the same job as Specops uReset 7.12, it comes with several new features and enhancements. These are as follows:  

  • Support for data encryption at rest.
  • Double encryption (user passwords are now encrypted from browser to Gatekeeper)   
  • Multi-Gatekeeper support for fail over/redundancy. 
  • Enhanced auditing/reporting capabilities. 
  • Works with Specops Password Blacklist, for real-time leaked password feedback during password change/reset. 
  • Support for Efos as an identity service (only available in Sweden).
  • Integrates with our new multi-factor authentication (MFA) platform for Office 365. 
  • Manager ID is only performed remotely. This includes support for multi-factor authentication when managers sign in to verify user authentication requests.
  • New language support: Japanese, Portuguese, and Simplified Chinese.

New Features, changes and improvements 

This section highlights the differences between the two platforms. Certain elements have changed entirely and some have simply been moved and/or renamed. 

URLS 

The URLs in Specops uReset 8.0 differ from those found in Specops uReset 7.12.  

Specops uReset 7.12 uses www.ureset.com (NA) and the login.ureset.com (EU). These URLs have been deprecated and each uReset web link now has a corresponding URL under login.specopssoft.com (NA) and eu.login.specopssoft.com (EU) instead.   

Note: The following screenshots are from environments hosted in North America.  

URLs in Specops uReset 8.0: 

The following URLs are found under the Gatekeeper tab in the Specops Authentication Gatekeeper Admin tool: 

  • Admin Pages: This URL takes you to the administrative pages. Admins can configure various parts of the system. This includes: 
    • Configuring enrollment/admin policies. 
    • Configuring identity services. 
    • Creating and deleting accounts. 
    • Customizing parts of the Specops uReset 8.0 user interface. 
    • Adding and removing Gatekeepers. 
  • Enrollment: This URL takes you to the Enrollment page, where you must enroll in order to access the administrative pages, user management pages, and uReset.  
  • User Management: This URL takes you to the User Management page, in which you can search for users, reset their passwords, and use uReset identity services to authenticate users. Helpdesk has replaced User Management in uReset 8.0.

The following URLs are located under the uReset tab in the Specops Authentication Gatekeeper Admin tool: 

  • Reset Password: This URL takes you to a page in which you can reset your password.  
  • Change Password: This URL takes you to a page in which you can change your password.  

URLs in Specops uReset 7.12 

In Specops uReset 7.12, the URLs are located under the uReset Gatekeeper tab, in the Specops uReset Administration tool.  

Security Groups 

Security groups in Specops uReset 8.0: 

Specops uReset 8.0 comes with new admin and user management related groups, that do not exist in Specops uReset 7.12. When you install Specops uReset 8.0, three new global groups are automatically created in your Active Directory. These groups fall under a single Security Groups category. You can edit the members of these groups directly in the Specops Authentication Gatekeeper Admin tool, by clicking the Active Directory Settings tab.  These are as follows:  

  • Admin group: All admins are listed in this group.  
  • User admin group: All user admins are listed in this group.  
  • Gatekeepers group: Your gatekeeper service account(s) are listed in this group.  

Note:  The uReset ‘helpdesk’ has been renamed ‘User Management’ in Specops uReset 8.0. 

Security groups in Specops UReset 7.12: 

In Specops uReset 7.12, the various security groups are located under the Policies and Groups tab, in the Specops uReset Administration tool, and are separated out into different categories (Active Directory Settings, Helpdesk users, Administrators). 

Policies 

Policies in Specops uReset 8.0 

In Specops uReset 8.0, policies are tagged in the Specops Authentication Gatekeeper Admin tool (on premises component) but configured in Specops Authentication Web (cloud component). 

Note: You can use the same GPOs in Specops uReset 8.0, that you used in Specops uReset 7.12. To tag a GPO: 

  1. Open the Specops Authentication Gatekeeper Admin tool.
  2. Click the uReset tab.
  3. In the GPOs tagged for uReset section, click the Tag GPOs link.
  4. Select a policy from the list.
  5. Click OK.
  6. The policy will appear in the list.  

Policies in Specops uReset: 7.12  

In Specops uReset 7.12, policies are configured in the Specops uReset Administrator (on premises component) and stored in SYSVOL.  

Customizing the uReset user interface 

As with Specops uReset 7.12, you can customize various parts of the Specops uReset 8.0 landing page. However, which parts that can be customized differs slightly from uReset 7.12. To access the customization features, go to the Customization menu. The following aspects of uReset 8.0 can be customized.

Changing the main logo

The logo at the top left of the page, both in Authentication Web and the Authentication Client, can be changed to match your requirements.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

Youcn an also change the image on the login page that is presented to users.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

  1. Select the checkbox next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon and select the color you want, then click OK.
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

  1. Select the language you want to make changes to in the Language drop-down.
  2. Click the text element you want to change, for example Enroll_Completed_Header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Customized value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Text labelDescriptionDefault text
Enroll_Completed_HeaderHeader for page shown when users have met the weight requirements, with option to continue or end enrollment process.All done!
Enroll_Completed_MessageInformation text for page shown when users have met the weight requirements, with option to continue or end enrollment process.You have collected enough stars for your enrollment. Feel free to improve you enrollment information by collecting more stars.
Enroll_CompletedCompleted_MessageText on final page of enrollment process.You have completed the enrollment, you can now close this browser and move on with your day.
Enroll_Edit_HelpText on identity services page when users has opted to make changes to an already complete enrollment.Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Enroll_HelpText on identity services selection page during enrollment.Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Enroll_Index_MessageText displayed when user switches between services to enroll for (e.g. Admin, User Management etc.)You can enroll for multiple services. Select which service to enroll for. You can also make changes to a completed enrollment.
Enroll_Introduction_HeaderHeader on the first page of the enrollment wizard (before entering password)Enrollment Reminder
Enroll_Introduction_MessageText on the first page of the enrollment wizard (before entering password)You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
Error_Mfa_UserHasNoPolicy_MessageError message text displayed when a user who does not have a policy configured tries to sign in.No policy has been configured for you for this service.
Error_Mfa_UserHasNoPolicy_TitleError message title displayed when a user who does not have a policy configured tries to sign in.You cannot enroll for this service
Mfa_Menu_MessageText on identity services selection page during login.Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Mfa_NotEnrolled_EnrollmentMissing_HeaderHeader displayed when a user is not enrolled with uReset and tries to reset their password.Enrollment missing
Mfa_NotEnrolled_IsuReset_Information Text displayed when a user is not enrolled with uReset and tries to reset their password.You cannot reset your password because you have not enrolled for the reset password service.
Password_Complete_MessageText on final page for a password reset or password change.Your password has been changed! If using a Windows computer, it is recommended to sign-out and sign-in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_CompleteSecureBrowser_MessageText on final page for a password reset or password change that started from the Windows identity password view.Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_Instructions_MessageText displayed above password rules when performing a password change or password reset.
Password_Instructions_Mobile_HeaderClickable text displayed on small devices to expand the password instructions, above the password rules when performing a password change or password reset.Show instructions
SkipCredentialScreening_UserName_LabelText displayed when a user enters their username during sign-in.Username
UserManagement_SearchInformationText displayed on the User Management start page.Use the search box to find users. You can search by account names, email addresses or users' real names.
WindowsIdentity_UserName_LabelText displayed when a user enters their password during sign-in.Username



Licensing  

Licenses are managed by the Specops team, which means a physical license key is not required.  You can create your customer account using a known domain/contact here.  The Specops team can then associate it with your existing Specops uReset 7.12  subscription license. 

Install Specops uReset 8.0

Before you can migrate your users and enrollments, you must download and deploy Specops uReset 8.0.  

  1. Download the ADMX template for Specops uReset 8.0 here. 
  2. Copy the ADMX template and the corresponding ADML file (you can find these in the c:\windows\policydefinitions) to the SYSVOl Central Store (if you want to make this available to more than one server) or copy it locally.  The settings in this client ADMX template tells both clients to continue using the Specops uReset 7.12 instead of automatically redirecting to Specops uReset 8.0.  This means you can continue using the old version unaffected, until you are ready to start migrating over.   
  3. Create a computer GPO and apply it to all computers that will have the Specops Authentication client installed, and configure the following settings under the ‘General Client Settings’ section of the template. This step is critical in ensuring that your workstation clients are not directed to uReset 8.0, before you have completed configuration and migration.
    • Set the Overridden Settings container to Enabled, and copy the distinctive name of the settings container from the uReset 7.12 Administration tool. The default location is under the System container in Active Directory. Example:  CN=Settings,CN=uReset,CN=Specops,CN=System,DC=demo,DC=local
    • Specify uReset as the reset system.
  4. Verify that the policy is being correctly applied to your client computers.
  5. Download the latest Specops Authentication client, here.
  6. Deploy the Specops Authentication client to all of your client computers. Older versions of the Specops Authentication or Specops uReset client will be replaced automatically.
  7. Install Specops Authentication. Installation instructions can be found here.

Note: When you copy the ADMX template to your chosen location, it will override the existing template.  

 

Perform the migration

The Specops Authentication migration wizard can be used to migrate the enrollment data from Specops uReset 7.12  into Specops uReset 8.0. This will allow uReset users to authenticate with O365, and manage password resets, with their existing uReset enrollment.

Pre-migration:

  • When migrating to Specops uReset 8.0, the platform hosting the datacenter will change from Microsoft Azure, to Amazon Web Services.
  • Existing policies cannot be migrated automatically. You can create new policies from the uReset menu in the Specops Authentication Gatekeeper Tool.
  • Stylesheets utilizing Bootstrap 4 will require an upgrade.
  • Auditing, reporting, and user statistics has been significantly improved in Specops Authentication. Existing statistics from www.ureset.com will not be migrated.

From the migration wizard, you can migrate enrollment data for the following identity services:

  • Facebook
  • Flickr
  • Google
  • Instagram
  • LinkedIn
  • Live
  • Mobile Code
  • Mobile Bank ID
  • Salesforce
  • Specops Fingerprint Authenticator
  • Specops/Microsoft/Google Authenticator
  • Symantec VIP
  • Questions & Answers (Security Questions)
  • Twitter

Note:

  • The Duo Security identity service does not require migration. If Duo Security is enabled in the policy, all affected users will be enrolled with Duo Security on Specops Authentication.

Before you get started, you must meet the following requirements for a successful migration:

  • Specops Authentication customer account with the Gatekeeper Admin Tool installed and configured.
  • The scope where the Specops uReset enrollment data resides must be inside the Specops Authentication scope of management.
  1. From the Gatekeeper tab on the Specops Authentication Gatekeeper Admin tool, click Migrate from uReset.
  2. Click Next.
  3. Select the Active Directory scope containing the uReset user enrollment data you want to migrate to Specops Authentication, and click Next.
  4. Enable your migration options:
    • Overwrite existing Specops Authentication enrollments: Migrate user enrollments for users that already have a Specops Authentication enrollment. Users that have already enrolled with Specops Authentication will have their entire enrollment overwritten. Identity Service enrollments cannot be merged with enrollments from uReset. Leaving this unticked will not update these users’ enrollments.
    • Halt execution on errors: Stops the migration as soon as an error occurs. The migration must be restarted on errors. If this is left unticked, the migration will keep going until all users have been migrated. Any errors will be visible in the Windows Event Log on the Gatekeeper afterwards.
  5. Click Next.
  6. Your pre-migration overview will be displayed. To continue, click Next.
  7. Your post-migration overview will be displayed. Click Finish.
  8. Click Finish to start the migration.

You are now ready to direct your users to uReset 8.0.

  1. Remove the computer GPO created earlier with the settings container override setting – your Specops Authentication clients will now default to using the new version automatically.
  2. Update any bookmarked URLs or GPOs with URL Override settings.
  • Was this Helpful ?
  • Yes   No