Installation

Specops Password Reset consists of the following components and does not require any additional servers or resources in your environment. The architectural overview above shows the communication between the components in a typical installation. Note that the Password Reset Server and Password Reset Web components are typically installed on the same server inside the network.

Server: Manages all operations against Active Directory, such as changing/resetting passwords, and responds to requests from the Specops Password Web application.

Administration Tools: Used to configure the central aspects of the solution and enable the creation of Specops Password Reset settings in Group Policy Objects.

Web: Displays the end user interface of the product and communicates with the Specops Password Reset server to verify user input.

Specops Client (formerly known as the Specops Password Client): The Specops Client presents a link to the Specops Password Reset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements.

Your organization’s environment must meet the following system requirements:

During installation, Specops Password Reset will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Reset:

• Server
• Administrations Tools
• Web
• Specops Client

1. Download the Setup Assistant.
2. Save and Run the Setup Assistant on your server.
   NOTE

   By default the file is extracted to C:\temp\SpecopsPasswordReset_Setup_[VersionNumber]
3. Double-click SpecopsPasswordReset.Setup.exe to launch the Setup Assistant.
4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Specops Password Reset Server

The Specops Password Reset Server performs operations against Active Directory and responds to requests from the Specops Password Web application.

1. From the Setup Assistant, select Server.
2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
3. Verify that you are running a valid operating system.
4. Windows Identity Foundation is installed.
5. Verify that the account being used to run the Setup Assistant has local administrative permissions.
6. Click Select user.
7. Enter the Username and Password of the user account the service will run as, and click OK.
   NOTE

   All operations performed by the Specops Password Reset Server component will be performed in the context of the service account selected here.
8. Click Select to identify the management level where the Active Directory permissions are created. This is also used to track license usage.
9. Click Select and click Create Self-signed Certificate. The self-signed certificate will be used to secure calls to the Specops Password Reset service.
   NOTE

   From the Microsoft Management Console, rename the self-signed certificate with a friendly name so it can be easily identified during an upgrade: Certificates > Personal > right-click and select Properties > populate the Friendly name field, and click OK.
10. Click Configure to configure the administrator notifications used to send email to the administrator with notifications regarding the Specops Password Reset License.
11. In the Email Settings field, enter the SMTP Server Name.
12. Enter the SMTP Username and SMTP Password.
    NOTE

    If no credentials are specified, the server will authenticate as the service account it is running as.
13. Click OK.
14. Click Configure to configure the settings for the mobile verification message. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.
15. In the From email text field, enter the email address that will be used to send the validation message.
16. Configure the To email, Subject, and Body settings according to the specifications of your SMS provider.
17. From the Insert placeholder code drop box you can select the information that will be different for each user.
18. Click OK.
19. Click Install.

Installing the Specops Password Reset Web

The Specops Password Reset web component presents the end user interface of the product and communicates with the Specops Password Reset server to verify user input. During installation, you will be given the option to include the Specops Password Reset Web Service (Mobile Access). The Mobile Access component is used to enable the Specops Password Reset mobile device application to connect to the Specops Password Reset Server. The Specops Password Web installation will also install the Specops Password Reset Web Customization tool which can be used to manage language translations and graphical branding of the website.

1. From the Setup Assistant, select Web.
2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
3. Verify that you are running a valid operating system.
4. Verify that the account being used to run the Setup Assistant has local administrative permissions.
5. Verify that IIS is installed.
6. Configure IIS for Specops Password Reset.
7. Click Select to select which Specops Password Reset Server service you want the web component to connect to.
8. Enter the name of the server and click OK.
9. Click Select to identify the website where the Specops Password Reset Web will be installed.
   NOTE

   • If there is more than one website running on your IIS you may select which one you wish to use for the Specops Password Reset Web Component.
   • If the Web component is installed on a server in the internal network, and you want to direct your internal password clients to use the web server you are installing, the Update the Service Connect Point information during installation should remain checked.
10. Click OK.
11. Click Select to select the certificate you wish to use for the SSL encryption, and click OK.
12. Click Install.
    NOTE

    The Specops Password Reset Web Setup Wizard will appear. The Wizard will allow you to install the mobile component.
13. In the Specops Password Reset Web Setup Wizard, click Next.
14. Read and accept the license agreement, and click Next.
15. Select the drop-box next to Password Reset Web Service (Mobile Access), and click Will be installed on local hard drive.
16. Click Next.
17. Click Install.

Installing the web component in DMZ

If the computer is in a workgroup, the recommended way of installing is the user interface in the setup assistant:

1. Verify you have .Net 3.5 SP1 installed on the DMZ server.
2. Do not select Update the Service Connection Point information during installation.
   NOTE

   This option will not be visible if the DMZ server is not joined in the domain.
3. If the certificate is installed on the server you will be able to select/view the certificate in the setup assistant.
   NOTE

   If you are unable to select/view the certificate, continue with the setup assistant and select the SSL certificate in IIS manager/Default website/Bindings/https/Edit/.
4. The DMZ zone that hosts your public facing DNS records will need to be updated with a record providing an easier site name to for end users to remember.
5. Verify that port 4371 in your firewall is open to the internal Specops Password Reset Server.

If the computer in DMZ is member of a separate Active Directory domain for DMZ, the recommended way of installing is to install the MSI using a command line:

The following parameters are used in the command line script:

• IISPARENTWEBSITE: Name of the parent web site, e.g. “Default Web Site”
• REMOTINGSERVER: Name of the SPR server, that must be reachable from DMZ
• IISTHUMBPRINT: TLS certificate

MSIEXEC /i SpecopsPasswordResetWeb-x64.msi ALLUSERS=1 IISPARENTWEBSITE="Default Web Site" REMOTINGSERVER=spr.acme.org REMOTINGPORT=4371 SERVERINDMZ=1 IISTHUMBPRINT="‎" IISAPPLICATIONNAME=SpecopsPassword IISAPPLICATIONPOOLNAME=SpecopsPassword
                    IISHASSILVERLIGHTPAGES=false IISUSEWCF=false IISENABLESSL=true IISENABLEANONYMOUSAUTHENTICATION=true IISSECUREFOLDERS="Enrollment,Helpdesk"

Install the Administration Tools

Installing the Administration Tools will install the Specops Password Reset Configuration tool and the GPMC snap-in. You can use the Configuration tool to manage configurations that apply to your entire domain. You can use the GPMC snap-in to configure Specops Password Reset policies in a Group Policy Object. The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

1. From the Setup Assistant, select Administration Tools.
2. Click Add menu ext. to register the Specops Display Specifiers in the configuration partition of your Active Directory forest.
3. Click Install.

Installing the Specops Client

The Specops Client is installed with an MSI-based installer. Note that upgrading the Specops Client will overwrite the installed Client.

If installed, the Specops Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.

The Specops Client can be used across the following Specops Software products:

• Specops Password Reset
• Specops Password Policy
• Specops uReset

Upgrading the Specops Client

Organizations using Specops Password Policy only, need to deploy the Specops Client MSI. The CefSharp Runtime MSI is not required for this scenario.

Organizations using Specops uReset or Specops Password Reset, need to deploy the CefSharp Runtime MSI in addition to the Specops Client MSI. The CefSharp Runtime MSI is required by the Secured Browser used for resetting passwords.

Since the Specops Client uses a specific version of the CefSharp Runtime MSI, it is important to deploy the latest CefSharp Runtime MSI at the same time or before deploying the Specops Client MSI.

While the Specops Client MSI only can be installed with exactly 1 version, multiple versions of the CefSharp Runtime MSI can be installed at the same time. The purpose with this is to simplify deployment in a larger organization.

The recommended flow for upgrading the Specops Client is:

1. Deploy the latest CefSharp Runtime MSI, if it's not already deployed
2. Deploy the latest Specops Client MSI
3. Undeploy any previous versions of the CefSharp Runtime MSI, if necessary
4. Download and update the administrative (ADMX) templates to have the latest version in place. In most cases no configuration changes are needed, unless explicitly stated in release notes. See the section below about configuration of the Specops Client.

The Specops Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.

Downloading the Specops Client

Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.

Deploying the Specops Client

To deploy the Specops Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.

Manually Installing or upgrading the Specops Client

1. Open the Specops Client Setup wizard you just downloaded (.msi file)
2. In the wizard, click Next.
3. Accept the License Agreement by checking the checkbox, and click Next.
4. Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Client\), then click Next.
5. Click Install.
6. Once the installation has completed, click Finish.

Configuring the Specops Client

The Specops Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Client page.

You will need to complete the following configuration settings once you have installed Specops Password Reset.

Import your license key

Enter your license key in the Password Reset Configuration Tool.

1. Open the Specops Password Reset Configuration Tool.
2. In the navigation pane, select License.
3. Click Import License.
4. Browse to the location of the TXT file, and click Open.

Verify that your domain is configured for use with Specops Password Reset

1. Open the Specops Password Reset Configuration Tool.
2. In the navigation pane, select Domains.
3. Verify that your domain is listed under Configured Domains.

Enable authentication to the Password Reset Web Server

Add members to the Specops Password Reset local security groups

Install additional web servers you might want to use for external access

Refer to Install the Web Component in DMZ (if applicable)

If using Secret Question Authentication, ensure that users enroll in the systems

For information about the different enrollment options and best practices, see Specops Password ResetEnrollment Options and Best Practices.

Verify that the Specops Client is installed on your client machines

Perform the following steps on the client to determine that the Client has been successfully installed.

1. View installed programs from the Control Panel:
   Option

   ---

   1. Open Programs and Features.
   2. In the list of installed programs, find Specops Client.
   NOTE

   You can also view the version of the Client.
2. View installed programs from the Registry.
   Option

   ---

   1. Open the registry editor.
   2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client

Verify security settings for administrative accounts

Windows contains many built-in security features designed to enhance the security around administrative accounts. One of these features is the adminSDHolder functionality, which automatically reconfigures the ACL on objects which are members of built-in privileged Active Directory groups. This process runs every 60 minutes on the PDC Emulator and will remove the inherited permissions of your Specops Password Reset service account from the protected user objects. If you want your administrative accounts to be able to use Specops Password Reset, you must manually add permissions for the service account to the AdminSDHolder container.

1. Log in with an account with Domain Admin permissions and run the following command:
   
   Copy

   dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;"
                               "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;"Example:dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLEsprsvc:CCDC;classStore;" "EXAMPLEsprsvc:LC;;" "EXAMPLEsprsvc:CA;Reset
                               Password;" "EXAMPLEsprsvc:RP;userAccountControl;" "EXAMPLEsprsvc:RPWP;mobile;" "EXAMPLEsprsvc:RPWP;pwdLastSet;" "EXAMPLEsprsvc:RPWP;lockoutTime;"
                           

2. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Configure access to Active Directory Fine-Grained Password Policies

If Specops Password Reset is installed in a domain where fine-grained password policies are used, the Specops Password Reset Service Account must be granted permissions to read the configured password policies.

1. Log in with an account with Domain Admin permissions and run the following command:
2. Copy

   dsacls “CN=Password Settings Container,CN=System,<domainDN>” /I:T /G <serviceAccount>:GR;; Example: dsacls “CN=Password Settings Container,CN=System,DC=example,DC=com” /I:T /G EXAMPLEsprsvc:GR;;

3. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Configure your environment for use with the Mobile Access Web Service

If you installed the Mobile Access Web Service as part of the Specops Password Reset Web installation, you will need to complete the below steps before the service is ready for use within your organization.

Make the mobile Access Web Service reachable from the internet: Your firewall must allow communication on tcp port 443 so mobile device can connect to the service through https.

Enable service discovery: For the device to find the Mobile Access service, the application will require the user to enter their email address. The domain part of the email address will be used to make a DNS query to find a service record for the Mobile Access Web Service in the email zone. This requires each DNS zone to be updated with a new service record point to the Password Reset Mobile Access Service.

Create the Specops Password SRV record: The service record should be created in your mail enabled external DNS zone by you or your ISP depending on who manages the zone data.

The following settings should be used when creating the service record:

The complete record to connect clients to the host “spr.example.com” might look like this:
_specopspassword._tcp.example.com 86400 IN 0 0 443 spr.example.com

Test the service record: The service record can be tested by running the following command:

nslookup -type=SRV _specopspassword._tcp.[your_domain_name] 8.8.8.8

Expected response:
nslookup -type=SRV _specopspassword._tcp.example.com 8.8.8.8

Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
_specopspassword._tcp.example.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = spr.example.com

If you are using a proxy internally, you will need to add an exception to bypass authentication, and let the system browse to the Specops Password Reset web page without authentication.