Forefront Identity Manager - Credential Management, Part 4

This post talks about how client interacts with the server during the course of Self-Service Password Reset Registration and Reset. Majority of the information can be found from either client-side or server-side log. The implementation is subjected to change. If you were to develop a custom SSPR client based on the information below, please make sure what you do is supported.

Deep Dive into Self-Service Password Reset

Components and terminologies:

  • Gate Framework (GF), client side unmanaged component. It handles the UI of varies gates and the password reset screen.
  • PasswordProxy (Proxy), aka FIMPasswordReset, client side managed component. It acts as a proxy between Gate Framework and FIM Service.
  • FIM Service
  • Secure Token Service (STS), a component of FIM Service that issues tokens

Communication channels used:

  • Between Gate Framework (GF) and PasswordProxy uses secured namepipe because GF is native and PasswordProxy is managed.
  • Between PasswordProxy and FIMService/STS uses WCF with message security.
  • Between FIMService and FIMSynchronizationService uses WMI.

Registration Sequence

  1. C:\Windows\System32\MsPwdRegistration.exe auto starts when user logon.
  2. It performs some housekeeping routines and call into GF to initiate the registration sequence.
  3. GF establishes a secured name pipe to Proxy.
  4. Proxy will then
    1. Lookup the user guid: /Person[Domain='...' and Account='...']
    2. Lookup all possible AuthN WFs that can be used by the user for SSPR
      /MPR[Disabled=false && (PrincipalSet=Anonymous && ResourceCurrentSet=/Set[ComputedMember='user guid']) && ActionType='Modify' && ActionParameter='ResetPassword']/AuthenticationWorkflowDefinition
    3. For each AuthN WF, determine if the user:
      1. Has registered or not (User.AuthNWFRegistered attribute).
      2. Is locked out or not (User.AuthNWFLockedout attribute).
    4. Return to GF with one of the value:
      1. Registration required, when one or more AuthN WFs is not registered.
      2. LockedOut, when user is locked out of one or more AuthN WFs.
      3. Registration Optional otherwise.
  5. If the return value is not Registration Optional, GF will display the Registration Welcome Screen.
  6. To register, Proxy sends a Put request to add the AuthN WF Guid to User.AuthNWFRegistered.
  7. This request will trigger the AuthN WF "System Workflow Required for Registration" caused by MPR "General workflow: Registration initiation for authentication activity" and Proxy will receive an AuthNRequiredFault.
  8. The AuthN fault contains the endpoint address of STS that the client needs to talk to to obtain a token.
  9. Proxy then relays message between GF and STS. STS will send a list of challenges (e.g. Q&A) and GF will display the questions and reply back with the answers that user inputs, etc etc.
  10. At the end of the challenge-response sequence with the STS, STS will issue a token indicating the User has passed the AuthN WF.
  11. Proxy then resumes the original request with the STS token.
  12. After that, the request goes through the normal AuthZ, Commit and Action phases.

Reset Sequence

  1. User clicks on the "Reset Password" link on the logon screen.
  2. Gina/Credential Provider calls into GF to initiate the reset sequence.
  3. GF establishes a secure channel with Proxy.
  4. Proxy sends a Put request which Modify User.ResetPassword attribute.
  5. This request will trigger the AuthN WF "Password Reset AuthN Workflow" caused by MPR "Anonymous users can reset their password" and Proxy will receive an AuthNRequiredFault.
  6. Proxy then obtains a STS token and resumes the request just like during registration.
  7. The request goes through the normal AuthZ, Commit and Action phases.
  8. During Action phase, it will kick off Action WF "Password Reset Action Workflow".
  9. This workflow will listen on an endpoint awaiting user to input their new password.
  10. Once the Password Reset Action Workflow receives the new password, it will, under the FIMService service account context, make a WMI call to the FIMSynchronizationService to perform a SetPassword.
  11. FIMSynchronizationService, under the AD MA account context, will talk to the primary domain controller (PDC) to reset the user password.

That's it. Feel free to leave me a message if you need clarification.