Step 7: Configure Self-Service Password Reset with OTP SMS Gate
Configuring Password Reset consists of the following steps:
Configure the Password Reset AuthN Workflow
Configure the Administrators can read and update Users MPR for OTP SMS
Install Microsoft Visual Studio 2010 Professional on CLIENT1
Create the console app used for initial encryption
Create the SMSServiceProvider.dll
Create the SMS Provider credentials text file.
Grant CORP\FIMService Full Control of the C:\SmsProviderInfo folder
Grant CORP\FIMService log on locally rights on FIM1
Encrypt the credential file using the CORP\FIMService account
Deny CORP\FIMService log on locally rights on FIM1
Copy SmsEncryptedCredentials.txt to the FIM Service folder
Configure the Password Reset AuthN Workflow
Now we will add the new One-Time SMS Password Gate to the Password Reset AuthN Workflow.
To Configure the Password Reset AuthN Workflow
Log on to FIM1.corp.contoso.com as CORP\Administrator.
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Workflows.
Double-click Password Reset AuthN Workflow. This will bring up the Password Reset AuthNWorkflow.
Click Activities.
Click Add Activity.
Select One-Time Password SMS Gate and click Select. Click Save. Click OK. Click Submit.
Configure the Administrators can read and update Users MPR for OTP SMS
Now you will add the One-Time Password Mobile Phone to the Administration: Administrators can read and update Users MPR.
To configure the Administrators can read and update Users MPR for OTP SMS
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 R2 home page.
On the right, under Administration, click Management Policy Rules.
In the list of MPRs, locate Administration: Administrators can read and update Users and click it. This will open the Configuration page.
Click the Target Resources tab.
Down under Select specific attributes, use the up-down arrows and scroll to the bottom of the list.
After Time Zone, enter One-Time Password Mobile Phone. Click to select the green check mark. This should resolve with an underline.
Click OK, and then click Submit.
Microsoft Visual Studio 2010 Professional on CLIENT1
Microsoft Visual Studio 2010 Professional will be used to compile the code for our SmsServiceProvider.dll and a small application that will be used to encrypt the credentials for our SMS provider.
To install Microsoft Visual Studio 2010 Professional on CLIENT1
Log on to CLIENT1 as CORP\Administrator.
Navigate to the directory that contains the binaries for Microsoft Visual Studio 2010 and double-click Setup.exe. This will bring up a Microsoft Visual Studio 2010 Setup screen.
On the Setup screen, click Install Microsoft Visual Studio 2010. This will begin the setup. It may take a moment for the installation components to load and the Next button to become available. When it does, click Next.
On the license page, read the usage license, select I have read and accept the license terms, and click Next.
On the next screen, under Select features to install: choose Custom and click Next.
On the next screen, under Select features to install: remove the check from everything except Visual Basic and Visual C#. Click Install. This will begin the installation. This will take some time.
.png "Install Visual Studio")
When the installation completes click Finish. Close the Microsoft Visual Studio 2010 Setup screen.
Create the console app used for initial credential encryption
In order to use the SmsServiceProvider.dll code we need to pass the adminAccount, adminEmail and adminPassword for our SMS provider. Now we don’t want to hard code this into the library because these credentials are important to preserving the security of many other credentials in the organization. The approach we’ll use in this sample is to place the adminAccount, adminEmail and adminPassword into a text file and then encrypt that text file. Our encrypted text file will be placed in the same directory as the SmsServiceProvider.dll. Please note that this is not the only way to securely handle credentials.
.gif "Warning") Warning |
|---|
To create the console app used for initial credential encryption
Log on to CLIENT1 as CORP\Administrator.
Click Start, select All Programs, select Microsoft Visual Studio 2010 and double-click Microsoft Visual Studio 2010.
Click OK. This will launch Visual Studio 2010.
Because this is the first time running Visual Studio you will receive a Choose Default Environmental Settings Dialog box. Select General Development Settings and click Start Visual Studio.
On the left, at the top, click New Project. This will bring up the new project window.
On the left, select Visual C#, in the middle, at the top, select .NET Framework 3.5 from the drop-down, in the middle select Console Application and down in the box next to Name: remove ConsoleApplicaiton1 and enter EncryptDecryptFile. Click OK. This will open our new project.
At the top, on the right, under the Solution Explorer, expand EncryptDecryptFiel, right-click References, and select Add Reference. This will bring up the Add Reference window.
At the top, click the .NET tab and scroll down to System.Security. Click OK.
Clear all of the code that is in the center pane and replace it with the code below:
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Security.Cryptography; using EncryptDecryptFile; using System.IO; namespace EncryptDecryptFile { class Program { static void Main(string[] args) { if (args.Length > 0) { if (args[0].ToString() == "encrypt") { string inputfile = args[1].ToString(); string outputfile = args[2].ToString(); EncryptDecryptFile.Program.Encrypt(inputfile, outputfile); } if (args[0].ToString() == "decrypt") { string inputfile = args[1].ToString(); string outputfile = args[2].ToString(); EncryptDecryptFile.Program.Decrypt(inputfile, outputfile); } } } static void Encrypt(string infile, string outfile) { byte[] Entropy = { 9, 8, 7, 6, 5 }; FileInfo info = new FileInfo(infile); int len = (int)info.Length; byte[] buffin = File.ReadAllBytes(infile); byte[] buffout = ProtectedData.Protect(buffin, Entropy, DataProtectionScope.LocalMachine); File.WriteAllBytes(outfile, buffout); info = new FileInfo(outfile); len = (int)info.Length; Console.WriteLine("Wrote " + len.ToString() + "bytes to file " + outfile); } static void Decrypt(string infile, string outfile) { byte[] Entropy = { 9, 8, 7, 6, 5 }; FileInfo info = new FileInfo(infile); int len = (int)info.Length; byte[] buffin = File.ReadAllBytes(infile); byte[] buffout = ProtectedData.Unprotect(buffin, Entropy, DataProtectionScope.LocalMachine); File.WriteAllBytes(outfile, buffout); info = new FileInfo(outfile); len = (int)info.Length; Console.WriteLine("Wrote " + len.ToString() + "bytes to file " + outfile); } } }At the top, select Build and choose Build Solution from the drop-down. At the bottom, in the Output window you should see Build: 1 succeeded.
Close Visual Studio.
Now log on to FIM1 as CORP\Administrator, create a folder in the root of C:\ call SmsProviderInfo.
Now, on CLIENT1 navigate to the following directory: C:\Users\Administrator\Documents\Visual Studio 2010\Projects\EncryptDecryptFile\EncryptDecryptFile\bin\Debug and copy the EncryptDecryptFile.exe to \\FIM1\C$\SmsProviderInfo. This will make it easier when we go and encrypt our file.
Create the SmsServiceProvider.dll
Now we will create our SMSServiceProvider.dll using the sample code provided. You will need the Forefront Identity Manager 2010 R2 installation media for this portion.
To Create the SmsServiceProvider.dll
Log on to CLIENT1 as CORP\Administrator.
Click Start, select All Programs, select Microsoft Visual Studio 2010 and double-click Microsoft Visual Studio 2010.
Click OK. This will launch Visual Studio 2010.
On the left, at the top, click New Project. This will bring up the new project window.
On the left, select Visual C#, in the middle, at the top, select .NET Framework 3.5 from the drop-down, in the middle select Class Library and down in the box next to Name: remove ClassLibrary1 and enter SmsServiceProvider. Click OK. This will open our new project.
At the top, on the right, under the Solution Explorer, expand SmsServiceProvider, right-click References, and select Add Reference. This will bring up the Add Reference window.
At the top, click the Browse and navigate to where the FIM 2010 R2 installation media is. Within the installation media, navigate to Service and Portal\Program Files\Microsoft Forefront Identity Manager\2010\Service\GAC and select Microsoft.IdentityManagement.SmsServiceProviderContract. Click OK.
At the top, on the right, under the Solution Explorer, expand SmsServiceProvider, right-click References, and select Add Reference. This will bring up the Add Reference window.
At the top, click the .NET tab and scroll down to System.Security. Click OK.
At the top, on the right, under the Solution Explorer, expand SmsServiceProvider, right-click References, and select Add Reference. This will bring up the Add Reference window.
At the top, click the .NET tab and scroll down to System.Web. Click OK.
Clear all of the code that is in the center pane and replace it with the code below:
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ namespace Microsoft.IdentityManagement.Samples { using System; using System.Collections.Generic; using System.Globalization; using System.Net; using System.Text; using Microsoft.IdentityManagement.SmsServiceProvider; using System.Web; using System.Security.Cryptography; using System.IO; public class SmsServiceProvider : ISmsServiceProvider { public void SendSms(string mobileNumber, string message, Guid requestId, Dictionary<string, object> deliveryAttributes) { mySMSProvider.SendSms(mobileNumber, message); } } class mySMSProvider { static string RequestURL = "https://www.mySMSProvider.contoso.com/sms.dll?Action=SendSMS"; static string adminAccount; static string adminEmail; static string adminPassword; mySMSProvider() { } public static int SendSms(string userMobileNumber, string message) { WebClient wc = new WebClient(); string requestData; requestData = Microsoft.IdentityManagement.Samples.mySMSProvider.GetRequestData(userMobileNumber, message); byte[] postData = Encoding.ASCII.GetBytes(requestData); byte[] response = wc.UploadData(mySMSProvider.RequestURL, postData); string result = Encoding.ASCII.GetString(response); // result contains the error text int returnValue = System.Convert.ToInt32(result.Substring(0, 4), NumberFormatInfo.InvariantInfo); return returnValue; } public static string GetRequestData(string mobile, string message) { string myrequestData; myrequestData = "AccountId=" + adminAccount + "&Email=" + System.Web.HttpUtility.UrlEncode(adminEmail) + "&Password=" + System.Web.HttpUtility.UrlEncode(adminPassword) + "&Recipient=" + System.Web.HttpUtility.UrlEncode(mobile) + "&Message=" + System.Web.HttpUtility.UrlEncode(message); return myrequestData; } public void GetCredentials() { string mypwordFile = (@"C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\SmsEncryptedCredentials.txt"); FileInfo info; int len; byte[] buffin; byte[] buffout; byte[] Entropy = { 9, 8, 7, 6, 5 }; info = new FileInfo(mypwordFile); len = (int)info.Length; buffin = File.ReadAllBytes(mypwordFile); buffout = ProtectedData.Unprotect(buffin, Entropy, DataProtectionScope.CurrentUser); File.WriteAllBytes(mypwordFile, buffout); StreamReader sr = new StreamReader(mypwordFile); adminAccount = sr.ReadLine(); adminEmail = sr.ReadLine(); adminPassword = sr.ReadLine(); sr.Close(); buffin = File.ReadAllBytes(mypwordFile); buffout = ProtectedData.Protect(buffin, Entropy, DataProtectionScope.CurrentUser); File.WriteAllBytes(mypwordFile, buffout); } }; }At the top, select Build and choose Build Solution from the drop-down. At the bottom, in the Output window you should see Build: 1 succeeded.
Close Visual Studio.
Now navigate to the following directory: C:\Users\Administrator\Documents\Visual Studio 2010\Projects\SmsServiceProvider\SmsServiceProvider\bin\Debug and copy the SmsServiceProvider.dll to \\FIM1\C$\Program Files\Microsoft Forefront Identity Manager\2010\Service.
Create the SMS Provider credentials text file.
Now we will create the text file that we will encrypt using the FIM Service account.
To create the SMS Provider credentials text file.
Log on to FIM1 as CORP\Administrator.
Click Start, click All Programs, select Accessories and then click on Notepad. This will open a notepad.
On the first line of notepad enter: adminAccount and hit enter.
On the second line of notepad enter: adminEmail and hit enter.
On the third line of notepad enter: adminPassword and hit enter.
Warning
Please note that you will enter your actual ID, Email, and password in this text file. For example, if my adminAccount was bsimon, I would enter bsimon, not adminAccount. If my adminEmail was bsimon@corp.contoso.com I would enter that, not adminEmail in the text file.
At the top, click File, click Save As, navigate to C:\SmsProviderInfo and enter SmsCredentials as the file name. Click Save.
Close notepad.
Grant CORP\FIMService Full Control of the C:\SmsProviderInfo folder
Now we will grant the CORP\FIMService account full control of the C:\SmsProviderInfo folder so that we can encrypt the SmsCredentials file.
To grant CORP\FIMService Full Control of the C:\SmsProviderInfo folder
Log on to FIM1 as CORP\Administrator.
Click Start, click Computer, double-click the c:\ drive.
Right-click on SmsProviderInfo and select Properties. This will bring up the properties dialog.
Click the Security tab.
Next to To change permissions click Edit click the Edit button. This will bring up the Permissions for SmsProviderInfo.
On Permissions for SmsProviderInfo click Add.
On Select Users, Computers, Service Accounts, or Groups, in the box under Enter the object names to select (examples) enter CORP\FIMService and click Check Names. This will resolve with the account underlined. Click OK.
Place a check under Allow in Full Control. Click Apply. Click OK.
Grant CORP\FIMService log on locally rights on FIM1
Now we will grant the CORP\FIMService account the log on locally right to the FIM1 server. This is so that we can log on to the FIM1 server and encrypt the credentials file.
To grant CORP\FIMService log on locally rights on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, click Administrative Tools, and click Local Security Policy. This will bring up the local security policy.
On the right, expand Local Polices and select User Rights Assignments. This will populate the left with policies.
Scroll down and double-click Deny log on locally. This will bring up the Deny log on locally Properties
Select CORP\FIMService and click Remove.
Click Apply and click OK.
Close Local Security Policy.
Log off FIM1.
Encrypt the credential file using the CORP\FIMService account
Now we will use our console app and encrypt our credentials file. Attempting to do this on a machine other than FIM1 has resulted in issues with decrypting the credentials file from within the SmsServiceProvider.dll by the FIM Service account. To avoid these issues, we will log on to the FIM1 machine as the FIM Service account, encrypt the file, then log off.
To encrypt the credential file using the CORP\FIMService account
Log on to FIM1 as CORP\FIMService.
Click Start, click All Programs, select Accessories and then click on Command Prompt. This will open a command prompt.
Navigate to the C:\SmsProviderInfo and enter EncryptDecryptFile.exe encrypt SmsCredentials.txt SmsEncryptedCredentials.txt.
Hit enter.
It should report that some bytes were written into the SmsEncryptedCredentials.txt file.
Close the command prompt.
Log off FIM1.
Deny CORP\FIMService log on locally rights on FIM1
Now we will set the permissions back to the original setting for the CORP\FIMService account on the FIM1 server.
To deny CORP\FIMService log on locally rights on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, click Administrative Tools, and click Local Security Policy. This will bring up the local security policy.
On the right, expand Local Polices and select User Rights Assignments. This will populate the left with policies.
Scroll down and double-click Deny log on locally. This will bring up the Deny log on locally Properties
Click Add User or Group.
Click Apply and click OK. This will bring up the Select Users, Computers, Service Accounts or Groups box.
In the box under Enter the object name to select (example) enter CORP\FIMService and click Check Names. This will resolve with an underline. Click OK.
Click Apply. Click OK.
Copy SmsEncryptedCredentials.txt to the FIM Service folder
Now we will copy our encrypted credentials file to the same folder as our SmsServiceProvider.dll.
To copy SmsEncryptedCredentials.txt to the FIM Service folder
Log on to FIM1 as CORP\Administrator.
Navigate to C:\SmsProviderInfo and copy the SmsEncrytpedCredentials.txt file to C:\Program Files\Microsoft Forefront Identity Manager\2010\Service