Reference Material | Configure Throttling

The Specops Password Reset Server uses data from user objects in Active Directory to read and write information used in the system. You can control which attributes are used by the system by modifying the registry on the Specops Password Reset Server.

Session data and mobile verification code attributes

During the password reset process, the session data, such as the session ID and the mobile verification code, is stored in the “specops-spp-pwdReset” object beneath the user object in Active Directory.

If your organization only uses the mobile verification code mechanism, the creation of the sub object can be prevented by configuring the Specops Password Reset Server to use custom user attributes instead of the sub object when storing the session data.

These settings are controlled in the registry on the Specops Password Reset server:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

UseCustomAttributesForVerificationCode
Enables the use of custom attributes for session data. If the value is set to “1” the custom attribute setting will be enabled. If the value is set to “0” the sub object will be used to hold session data.

Default value: 0
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeSessionId
LDAP display name for the arbitrary user string attribute you wish to hold the session ID.

Default value: “”
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeVerificationCode
LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code.
Default value: “”

Run the following command to grant the SPR service account permission to read and write the attributes chosen above. These must be run in a command prompt (not a PowerShell prompt):

dsacls [DN_of_your_scope_of_management] /I:T /G [spr_service_account]:RPWP;[your_selected_sessionID_attribute];user

dsacls [DN_of_your_scope_of_management] /I:T /G [spr_service_account]:RPWP;[your_selected_verification_code_attribute];user

Example:

dsacls OU=Example,DC=example,DC=com /I:T /G example\sprsvc:RPWP;carLicense;user

dsacls OU=Example,DC=example,DC=com /I:T /G example\sprsvc:RPWP;assistant;user

The Specops Password Reset Server service should be restarted after this configuration has applied.

Email address and mobile phone attributes

By default the Specops Password Reset Server retrieves the email address of the user from the “mail” attribute. The mobile phone number of the user is retrieved from the “mobile” attribute. You can change the settings to other attributes on the user object:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeMail
Enables the use of a custom attribute for email address data if configured with a value. The specific value should match an attribute on the user object.

Default: “”
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeMobile
Enables the use of a custom attribute for mobile phone number if configured with a value. The specific value should match an attribute on the user object.

Default:””
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Domains\
[domain_name]

CustomAttributeVerificationCode
LDAP display name for the arbitrary user string attribute you wish to hold the mobile verification code.
Default value:””

Run the following command to grant the SPR service account permission to read and write the attributes chosen above:

dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:RPWP;[your_selected_email_attribute];user

dsacls [DN_of_your_scope_of_management] /I:S /G [spr_service_account]:RPWP;[your_selected_mobile_phone_attribute];user

Example:

dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc:RPWP;carLicense;user

dsacls OU=Example,DC=example,DC=com /I:S /G example\sprsvc:RPWP;assistant;user

The Specops Password Reset Server service should be restarted after this configuration has applied.

If the mobile attribute has been changes, the password client should be configured to use the custom attribute. This is controlled through the Specops Password Reset ADMX template and the “User object custom mobile attribute” setting.

Specops Password Reset Server call throttling

To prevent attackers from systematically probing the system for user names, the Specops Password Reset Server service automatically restricts the number of attempts a client may make to use the service within a specified sliding time window.

The sliding windows begins counting as soon as the first invalid request is detected and adds new requests when a new invalid attempt is detected. When the sliding time windows for a request has elapsed, the request will be available for use with the service.

To change these settings, you will need to modify the following registry keys:

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

CallThrottlingMaxCalls
Specifies the maximum number of calls permitted from a single client during the specified sliding time window.

When the number is exceeded, the server will deny the request and generate an error message.

Default value: 200
HKLM\Software\Specopssoft\Specops
Password Reset\Server\

CallThrottlingTimeWindowSeconds
Specifies the size of the sliding windows measured in seconds.

Default value: 300 (5 minutes)
  • Was this Helpful ?
  • Yes   No