Installation

The content below is intended for IT administrators and will guide you through the process of installing Specops Password Reset.

Key components

Key components

Specops Password Reset consists of the following components and does not require any additional servers or resources in your environment. The architectural overview above shows the communication between the components in a typical installation. Note that the Password Reset Server and Password Reset Web components are typically installed on the same server inside the network.

Server: Manages all operations against Active Directory, such as changing/resetting passwords, and responds to requests from the Specops Password Web application.

Administration Tools: Used to configure the central aspects of the solution and enable the creation of Specops Password Reset settings in Group Policy Objects.

Web: Displays the end user interface of the product and communicates with the Specops Password Reset server to verify user input.

Specops Authentication Client (formerly known as the Specops Password Client): The Specops Client presents a link to the Specops Password Reset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements.

Requirements

Your organization’s environment must meet the following system requirements:

ItemRequirement
Server• Windows Server 2008 or later
• Windows Identity Foundation installed
Administration Tools• Windows 7 or later
• Active Directory and Computers snap-in
• Group Policy Management Console (GPMC)
• .Net Framework 4.7.2 or later
Web• Windows Server 2008 or later
• IIS installed
• Trusted SSL certificate for all names the web application will be presented as
Specops Client• Windows 7 or later
• Microsoft .NET framework 3.5 SP1 or newer

The Specops Setup Assistant will help you meet the system requirements.

Installing Specops Password Reset

During installation, Specops Password Reset will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Reset:

  • Server
  • Administrations Tools
  • Web
  • Specops Client
  1. Download the Setup Assistant.
  2. Save and Run the Setup Assistant on your server.
    Note: By default the file is extracted to C:\temp\SpecopsPasswordReset_Setup_[VersionNumber]
  3. Double click SpecopsPasswordReset.Setup.exe to launch the Setup Assistant.
  4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Specops Password Reset Server

The Specops Password Reset Server performs operations against Active Directory and responds to requests from the Specops Password Web application.

  1. From the Setup Assistant, select Server.
  2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
  3. Verify that you are running a valid operating system.
  4. Windows Identity Foundation is installed.
  5. Verify that the account being used to run the Setup Assistant has local administrative permissions.
  6. Click Select user.
  7. Enter the Username and Password of the user account the service will run as, and click OK.

Note:

  • All operations performed by the Specops Password Reset Server component will be performed in the context of the service account selected here.
  1. Click Select to identify the management level where the Active Directory permissions are created. This is also used to track license usage.
  2. Click Select and click Create Self-signed Certificate. The self-signed certificate will be used to secure calls to the Specops Password Reset service.

Note:

  • From the Microsoft Management Console, rename the self-signed certificate with a friendly name so it can be easily identified during an upgrade: Certificates > Personal > right-click and select Properties > populate the Friendly name field, and click OK.
  1. Click Configure to configure the administrator notifications used to send email to the administrator with notifications regarding the Specops Password Reset License.
  2. In the Email Settings field, enter the SMTP Server Name.
  3. Enter the SMTP Username and SMTP Password.

Note: If no credentials are specified, the server will authenticate as the service account it is running as.

  1. Click OK.
  2. Click Configure to configure the settings for the mobile verification message. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.
  3. In the From email text field, enter the email address that will be used to send the validation message.
  4. Configure the To email, Subject, and Body settings according to the specifications of your SMS provider.
  5. From the Insert placeholder code drop box you can select the information that will be different for each user.
  6. Click OK.
  7. Click Install.

Installing the Specops Password Reset Web

The Specops Password Reset web component presents the end user interface of the product and communicates with the Specops Password Reset server to verify user input. During installation, you will be given the option to include the Specops Password Reset Web Service (Mobile Access). The Mobile Access component is used to enable the Specops Password Reset mobile device application to connect to the Specops Password Reset Server. The Specops Password Web installation will also install the Specops Password Reset Web Customization tool which can be used to manage language translations and graphical branding of the website.

  1. From the Setup Assistant, select Web.
  2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
  3. Verify that you are running a valid operating system.
  4. Verify that the account being used to run the Setup Assistant has local administrative permissions.
  5. Verify that IIS is installed.
  6. Configure IIS for Specops Password Reset.
  7. Click Select to select which Specops Password Reset Server service you want the web component to connect to.
  8. Enter the name of the server and click OK.
  9. Click Select to identify the website where the Specops Password Reset Web will be installed.

Note:

  • If there is more than one website running on your IIS you may select which one you wish to use for the Specops Password Reset Web Component.
  • If the Web component is installed on a server in the internal network, and you want to direct your internal password clients to use the web server you are installing, the Update the Service Connect Point information during installation should remain checked.
  1. Click OK.
  2. Click Select to select the certificate you wish to use for the SSL encryption, and click OK.
  3. Click Install.

Note: The Specops Password Reset Web Setup Wizard will appear. The Wizard will allow you to install the mobile component.

  1. In the Specops Password Reset Web Setup Wizard, click Next.
  2. Read and accept the license agreement, and click Next.
  3. Select the drop-box next to Password Reset Web Service (Mobile Access), and click Will be installed on local hard drive.
  4. Click Next.
  5. Click Install.

Install the web component in DMZ

If applicable:

  1. Verify you have .Net 3.5 SP1 installed on the DMZ server.
  2. Do not select Update the Service Connection Point information during installation.

Note: This option will not be visible if the DMZ server is not joined in the domain.

  1. If the certificate is installed on the server you will be able to select/view the certificate in the setup assistance.

Note: If you are unable to select/view the certificate, continue with the setup assistance and select the SSL certificate in IIS manager/Default website/Bindings/https/Edit/.

  1. The DMZ zone that hosts your public facing DNS records will need to be updated with a record providing an easier site name to for end users to remember.

Note: Names such as http://pwreset.contoso.com or https://pwchange.contoso.com are commonly used conventions.

  1. Verify that port 4371 in your firewall is open to the internal Specops Password Reset Server.

Install the Administration Tools

Installing the Administration Tools will install the Specops Password Reset Configuration tool and the GPMC snap-in. You can use the Configuration tool to manage configurations that apply to your entire domain. You can use the GPMC snap-in to configure Specops Password Reset policies in a Group Policy Object. The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

  1. From the Setup Assistant, select Administration Tools.
  2. Click Add menu ext. to register the Specops Display Specifiers in the configuration partition of your Active Directory forest.
  3. Click Install.

Installing the Client

Installing the Client will present a link to the Specops Password Reset Web application on the Windows logon screen, and present end user notifications about enrollment requirements. The Client should be installed on all domain joined client machines and may be installed on any servers where access to the system is desired.

Deploy the Client using GPSI

You can automatically configure an existing Group Policy Object with Software Installation settings to deploy the Client in your domain. Alternatively, you can use another deployment solution to install the Client on the computers in your organization by downloading the msi-files. See Deploy the Client using Specops Deploy / App or other deployment tools for more information.

  1. From the Setup Assistant, select Deploy Specops Password Client using GPSI.
  2. To select the Group Policy Object that will be used to deploy the Client, click Select GPO. You will be given the following options:
    Option Step
    Create New GPO 1.    Click Create New GPO.

    2.    Enter a new Group Policy Object name.

    3.    Select the location you want to link the Group Policy object.

    4.    Click OK.

    Option Step
    Select an existing GPO 1.    Select an existing GPO from the list.

    2.    Select a link for the chosen GPO, and click OK.

  3. Click Download…to download the installation files for the Client.
    • In the dialog box, click Download Files.
    • When the dialog box is complete, click OK.

      Note: The files are copied to: C:\temp\SpecopsPassword_Setup[VersionNumber]\products\specopspasswordreset

  4. To install the Client on all computers in your organization, you can:
    Option Step
    Create a network share on the local computer and copy the sentinel msi-package to the new network share 1.    Click Create Share.

    2.    Select a local path to create the share for, and click OK.

    3.    Click Select share.

    4.    Verify that the network path to the network share you created is correct, and click OK.

    Select an existing network share and manually copy the msi-package to the existing network share 1.    Click Select Share

    2.    Browse to the location of the msi-package, and click OK.

    Note: It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing, verify that the setup files are copied to all servers before proceeding.

  5. To create the packages for x86 and x64 deployments in the selected GPO, click Add Settings.

Note: The Client Side Extension MSI will be deployed through a computer software installation and may not take effect until the computers have been restarted.

Deploy the Client using Specops Deploy / App or other deployment tools

If you are not deploying using Group Policy Software Installation (GPSI), you can download the Client for alternative deployment methods, such as Specops Deploy.

  1. Download the Specops Client:
    Download Specops Authentication Client x64
    Download Specops Authentication Client x86
  2. Double click the Specops.Authentication.Client-x64 or Specops.Authentication.Client-x86 Windows Installer Package.
  3. Accept the terms in the License Agreement, and click Install.
  4. Click Finish.

 

Post-installation configuration

You will need to complete the following configuration settings once you have installed Specops Password Reset.

Import your license key

Enter your license key in the Password Reset Configuration Tool.

  1. Open the Specops Password Reset Configuration Tool.
  2. In the navigation pane, select License.
  3. Click Import License.
  4. Browse to the location of the TXT file, and click Open.

Verify that your domain is configured for use with Specops Password Reset

  1. Open the Specops Password Reset Configuration Tool.
  2. In the navigation pane, select Domains.
  3. Verify that your domain is listed under Configured Domains.

Enable authentication to the Password Reset Web Server

Add members to the Specops Password Reset local security groups

Install additional web servers you might want to use for external access

Refer to Install the Web Component in DMZ (if applicable)

If using Secret Question Authentication, ensure that users enroll in the systems

For information about the different enrollment options and best practices, see Specops Password Reset Enrollment Options and Best Practices.

Verify that the Specops Client is installed on your client machines

Perform the following steps on the client to determine that the Client has been successfully installed.

  1. View installed programs from the Control Panel:
    – Open Programs and Features.
    – In the list of installed programs, find Specops Authentication Client.

Note: You can also view the version of the Client.

  1. View installed programs from the Registry.
    – Open the registry editor.
    – Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client.

Note: The above key will only exist after the Client has been installed.

Verify security settings for administrative accounts

Windows contains many built-in security features designed to enhance the security around administrative accounts. One of these features is the adminSDHolder functionality, which automatically reconfigures the ACL on objects which are members of built-in privileged Active Directory groups. This process runs every 60 minutes on the PDC Emulator and will remove the inherited permissions of your Specops Password Reset service account from the protected user objects. If you want your administrative accounts to be able to use Specops Password Reset, you must manually add permissions for the service account to the AdminSDHolder container.

  1. Log in with an account with Domain Admin permissions and run the following command:
    dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;" "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;"Example:dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLEsprsvc:CCDC;classStore;" "EXAMPLEsprsvc:LC;;" "EXAMPLEsprsvc:CA;Reset Password;" "EXAMPLEsprsvc:RP;userAccountControl;" "EXAMPLEsprsvc:RPWP;mobile;" "EXAMPLEsprsvc:RPWP;pwdLastSet;" "EXAMPLEsprsvc:RPWP;lockoutTime;"
  1. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Note: Allowing Specops Password Reset to work with account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization.

Configure access to Active Directory Fine-Grained Password Policies

If Specops Password Reset is installed in a domain where fine-grained password policies are used, the Specops Password Reset Service Account must be granted permissions to read the configured password policies.

  1. Log in with an account with Domain Admin permissions and run the following command:
    dsacls “CN=Password Settings Container,CN=System,<domainDN>” /I:T /G <serviceAccount>:GR;; Example: dsacls “CN=Password Settings Container,CN=System,DC=example,DC=com” /I:T /G EXAMPLEsprsvc:GR;;
  1. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Configure your environment for use with the Mobile Access Web Service

If you installed the Mobile Access Web Service as part of the Specops Password Reset Web installation, you will need to complete the below steps before the service is ready for use within your organization.

Make the mobile Access Web Service reachable from the internet: Your firewall must allow communication on tcp port 443 so mobile device can connect to the service through https.

Enable service discovery: For the device to find the Mobile Access service, the application will require the user to enter their email address. The domain part of the email address will be used to make a DNS query to find a service record for the Mobile Access Web Service in the email zone. This requires each DMZ zone to be updated with a new service record point to the Password Reset Mobile Access Service.

Create the Specops Password SRV record: The service record should be created in your mail enabled external DMZ zone by you or your ISP depending on who manages the zone data.

The following settings should be used when creating the service record:

DNS record partValueExplanation
_service_tcpThe “_specopspassword” service is accessed over tcp.
Zone Name[zone]This part is the name of your internet zone.
The full name of the service record for the “example.com” domain would be:
_specopspassword._tcp.example.com.
TTL[TTL]The time (in seconds) the record may be cached before it is considered obsolete.

Every zone has a default TTL value, but it is also possible to create separate TTLs for each record.
ClassINThe standard DNS class field, This is always “IN”.
Priority0If more than one target host exists for the service record the priority determines the preference between targets.
Lower values mean higher preference.
Port443The “_specopspassword” service is accessed over SSL on port tcp/443.
If this configuration in changed on the web server the port data in the SRV record needs to reflect this as well.
Target[target FQDN]The target is the FQDN of the host running the Specops Password Reset Web Service.

For a host called “spr” in the example.com domain, the target would be:
spr.example.com

The complete record to connect clients to the host “spr.example.com” might look like this:
_specopspassword._tcp.example.com 86400 IN 0 0 443 spr.example.com

Test the service record: The service record can be tested by running the following command:

nslookup -type=SRV _specopspassword._tcp.[your_domain_name] 8.8.8.8

Expected response:
nslookup -type=SRV _specopspassword._tcp.example.com 8.8.8.8

Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
_specopspassword._tcp.example.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = spr.example.com

If you are using a proxy internally, you will need to add an exception to bypass authentication, and let the system browse to the Specops Password Reset web page without authentication.

  • Was this Helpful ?
  • Yes   No