Management Console Overview

IBM Tivoli Access Manager for Enterprise Single Sign-On: Desktop Password Reset Adapter (TAM E-SSO: Desktop Password Reset Adapter) enables workstation users to reset their own Windows domain passwords without the intervention of administrative or help-desk personnel. It provides end users with an alternative means of authenticating themselves by taking a quiz comprising a series of passphrase questions. 

Each question is weighted with point-values. As the end user answers the quiz questions, TAM E-SSO: Desktop Password Reset Adapter keeps a running score. Points are added to the score for each correct response and points are deducted for each incorrect response. When the end user accumulates sufficient points to meet a preset "confidence level," TAM E-SSO: Desktop Password Reset Adapter permits the end user to select a new password. If the end user's score does not achieve the required confidence level after all questions have been presented, or if it falls below a preset negative value, the quiz ends and the end user is not permitted to reset the password.

The reset service is available to each end user after completing a one-time enrollment interview to record passphrase answers. The questions can be any combination of those prepared the administrator and those created by the end-users themselves. Answers can also be derived from data stored in directory user objects. The TAM E-SSO: Desktop Password Reset Adapter Management Console provides easy configuration of the enrollment interview and reset quiz, including question text and point-values, answer sources, and confidence-level limits. The Console also affords convenient reports of enrollment/reset activity and status.

Features and Benefits

Functional Overview

First-Time Setup

After you have installed the TAM E-SSO: Desktop Password Reset Adapter server application, the first task is to configure the service for use with the directory-server or relational database and Web services. You perform this first-time configuration with the dialog pages in the System tab:

  1. Use the Web Service dialog page to set the Anonymous Logon account - the user account through which TAM E-SSO: Desktop Password Reset Adapter users and administrators access the service.
  2. Use the Storage dialog page to configure the directory/database to create the TAM E-SSO: Desktop Password Reset Adapter repository for system questions and user data.
  3. Use the Reset Service dialog page to set the Service account - the user account that TAM E-SSO: Desktop Password Reset Adapter itself "logs on as" to the server.

When you have completed these steps, you can begin the configuring the  reset service itself. These tasks include:

  1. Setting up the Enrollment Interview by supplying a set of system questions and associated point-values.
  2. Set the general reset service options: these options include the "pass" and "fail" score thresholds, user-lockout parameters, and administrator alerts.

Setting Up the Enrollment Interview

When the user starts the enrollment program, TAM E-SSO: Desktop Password Reset Adapter displays the Enrollment Interview.

The Enrollment Interview comprises a series of questions in two three groups:

  1. Required questions to which the end user must provide answers to complete the interview.
  2. One or more "blank questions" for which the end user provides both the passphrase question and its answer.
  3. Optional questions that the end user can skip.

The required and optional questions (in groups 1 and 3) are called system questions. System questions are predefined and managed by the administrator using the Questions tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console. During the Enrollment Interview, the system questions are presented in random order (within their respective groups). Another type of predefined system question uses an attribute of the end user's directory object for its answer and therefore does not appear in the Enrollment Interview. See Configuring System Questions and Question Examples for more information.

Questions created by the end user (in group 2) are referred to as user questions. Only the end user knows the text of the question/answer pair he or she has created. The administrator uses the Settings tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console to set the minimum number of user questions required to complete the interview and the maximum number of user questions allowed. See Configuring User Questions for more information.

When the end user has answered the Required questions, provided the minimum number of user questions, and answered (or skipped) all of the available Optional questions, the Enrollment Interview ends.

National Language Support

The initial enrollment dialog can be presented in the preferred language for each business unit as required by National Language Support (NLS). NLS support is required for English, French, Spanish, Italian, German, Brazilian Portuguese, Korean, Simplified Chinese, and Japanese.

The text that is displayed during the initial page of the enrollment page is stored in a XML file called UserText.xml.  To implement this feature, you must create multiple XML files with the filenames UserText.<language code>.xml; for example, UserText.de.xml, UserText.fr-ca.xml. 

The language code follows the RFC 1766 format that is used by .NET.  Each XML file contains text in their respective language.  The files are stored in the \WebServices folder.

TAM E-SSO: Desktop Password Reset Adapter loads all the files with the above naming pattern and uses the appropriate version to display the 'Welcome' screen of the enrollment page.

On the client side, WindowsInterface passes the language the user installed within the URL to tell TAM E-SSO: Desktop Password Reset Adapter to show the enrollment page in that language.

Configuring System Questions

System questions are those prepared by the administrator. See Creating and Editing System Questions for the procedure.

Each system question has the following settings:

Assigning point-values to questions

Secure implementation of self-service reset depends on the selection and weighting of the individual system questions. Here are some primary considerations for each question:

See also Question Examples.

Question Examples

The following table provides some examples of system questions, recommended as Required or Optional, with suggested point-values based on the default score thresholds of -100 to 100 points.

Required questions

These questions are good prospects for Required questions. Note that all of these questions have answers that are facts on record. It is strongly recommended that your selection of Required questions have answers come from as many different sources as possible. For example, in some states, a driver's license may display the social security number and date of birth.

Question Required? Points if correct Points if Incorrect
What is your Social Security Number (numbers only, no spaces)? Y  10  -75
What is your date of birth (mmddyy)? Y  25 -75
In which city were you born? Y  25 -50
What is your Mother's maiden name? Y  25  -75
What was the name of the first school you attended? (or "...that you remember attending?") Y  25 -25
What is the name of the last high school that you attended? Y  25 -25
Eliminators

These questions are "eliminators" because the authorized end user is very unlikely to answer them incorrectly. The answers are personal, and therefore have low or no point-value for correct answers and high negative point-value if answered incorrectly.

Question Required? Points if correct Points if Incorrect
What is your eye color? Y  0 -75
Are you left/right handed or ambidextrous (l, r or a)? Y  5  -75
What is your gender (male or female)? Y  0  -75
Optional questions

These questions are acceptable as Optional questions only, because they may not apply to all enrollees.

Question Required? Points if correct Points if Incorrect
What was the name of your first/favorite pet? N  25  -25
What color was your first car? N  25  -25
What is your wife's maiden name? N  25 -25
What is your blood type (O, A+/-, B+/-, AB)? N  25  -25
How many siblings do you have? N  25  -25
What is your spouse’s date of birth? (mmddyy)   N  25  -25
 

 

External Validators

By default, TAM E-SSO: Desktop Password Reset Adapter requires that all the questions and weights used for reset are entered and set up by the administrator and answered by the user upon enrollment. TAM E-SSO: Desktop Password Reset Adapter can also work with external validator sources to simplify this process. External validators allow organizations to write an interface to their backend which can be accepted by TAM E-SSO: Desktop Password Reset Adapter.  This validator can call data from various sources (i.e. HR database) which contain pre-defined answers.

For example, lets say one of the reset questions is "What is your Social Security Number?". By default, when a user enrolls, the enrollment interview asks them to supply their social security number. Then when a user resets their password, they are asked to enter their social security number. With an external validator in place, an administrator can direct TAM E-SSO: Desktop Password Reset Adapter to an external data source which contains a pre-defined list of social security numbers. The validator supplies the answer to that question upon user enrollment so that the user does not even have to see that question.  A user will only have to enter the answer to that question when attempting to reset their password. If all system questions are answered by an external validator, users can be automatically enrolled.

Follow these basic steps to implement the use of external validators:

1.      Write an external validator.

2.      Install the validator.

3.      Direct TAM E-SSO: Desktop Password Reset Adapter to the external validator.

Writing the External Validator Interface

The external validator must be written in .Net 2.0. To write an implementation, add a reference to the library Passlogix.PasswordReset.dll. Within your assembly, a class implementing the interface, ISSPRValidator, must be written.  The interface has the following five methods:

Note: Validators that do not implement the ISSPRValidator interface or fail on startup will be ignored.

 

Below is the validator interface definition:

interface ISSPRValidator

{

// Called by SSPR on first use of validator.

void Initialize();

 

// Called once by SSPR when the service shuts down.

      void Cleanup();

 

// Returns true/false if question is valid for a given user

bool IsValidQuestion(ISSPRQuery iquery);

 

// Returns true/false if question/answer pair is correct

      bool IsValidAnswer(ISSPRQuery iquery, string strAnswer);

 

// The friendly name for SSPR to display

string FriendlyName { get; }

}

 

The ISSPRQuery interface is supplied by the TAM E-SSO: Desktop Password Reset Adapter service and contains the following properties:

 

interface ISSPRQuery

{

      // The guid of the question

Guid QuestionGuid { get; }

// The users identity (in SID format)

string UserIdentity { get; }
}

 

Once this interface has been implemented, the following attribute must be declared referencing the implementation:

 

[assembly: ISSPRValidatorType("<Validator class>")]

 

Replace the string <Validator class> with the full name of the class (including namespace) that implements this interface.

Installing the Validator

Once the validator DLL is written, follow these steps:

1.      Create a directory called “Validators” under <INSTALL_DIR> \VIBMSelfServiceReset\WebServices. The actual validator directory is defined in web.config and can be changed if a different folder for discovery is preferred.

2.      Copy the validators into this directory.

3.      Restart the TAM E-SSO: Desktop Password Reset Adapter Web Service.

Directing TAM E-SSO: Desktop Password Reset Adapter to the External Validator

Once the validators are installed, follow these steps:

1.      Open the TAM E-SSO: Desktop Password Reset Adapter Management Console.

2.      Click Questions from the top menu and then select System Questions. Select an existing question or create a New Question.

3.      The Answer Source dropdown field lists the available external validators which can be used. The default is User Supplied, which indicates that the user must answer that question during enrollment. If a validator is installed and detected, its friendly name will now be listed here. Simply select the appropriate validator and save the question settings.

User Enrollment

Enrollment can contain a mix of User Supplied and Validator Supplied questions. Questions that require external validation will be checked against IsValidQuestion and allowed / discarded based on the result.  A user will only be prompted for answers on questions that are user supplied. In a pure external validation case, the user will be automatically enrolled.

Reset

During a Password Reset, questions with answers supplied by an external validator will be sent to IsValidAnswer to determine a pass or fail for a particular question. 

Configuring User Questions

User questions are those prepared by the end-user during the Enrollment Interview. For each user question, the end-user is prompted to enter a question and its correct answer. Only the end user knows the text of the question/answer pair he or she has created. The Enrollment Interview prompts the end user for user questions after he or she has answered the Required system questions and before posing the Optional system questions.

The administrator controls these settings:

See Editing Reset Service Settings for the procedure.

Configuring Reset Authentication

When an end user requests a password reset, TAM E-SSO: Desktop Password Reset Adapter displays the Reset Quiz.

The Reset Quiz is a series of questions drawn from the system and user questions that the end user answered in the Enrollment Interview. The Reset Quiz first presents all of the Required questions one at a time, in random order, for the end user to enter a response. With each response, the preset point-value for correct answers is added to the total score, or the point-value for incorrect answers deducted.

After all of the Required questions have been presented, the Reset Quiz continues until all either a) all Optional questions have been presented, or b) the end user answers a sufficient number of questions to meet either of two score thresholds:

If the end user answers all of the questions without achieving either score threshold, the Reset Quiz ends with no password reset, and the end user returns to the initial logon dialog. TAM E-SSO: Desktop Password Reset Adapter records The Quiz session as an implicit failure indicating that the end-user failed the Quiz with an insufficient score to pass or explicitly fail.

The Success and Failure score thresholds, and the point-values for user questions are set by the administrator in the Settings tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console. The text and point-values for individual system questions are set in the System Questions tab.

Score Thresholds

The score thresholds are the point-values that determine whether the end user passes or fails the Reset Quiz.

See Editing Reset Service Settings for more information.

User Question Settings

The administrator sets the minimum and maximum number of user questions end users create for themselves. User questions have the same pair of point-values for correct and incorrect answers. 

See Editing Reset Service Settings for more information.

User Object Settings

[to come]

Setting up the Web Service Account

Use the Web Service Account dialog  (under the System tab) to set or change the Anonymous Logon for IIS Web Services. This is the domain account through which all end users access TAM E-SSO: Desktop Password Reset Adapter Web interface.

The Web Service Account dialog displays the current Anonymous Logon account and provides a logon form for changing this account.

The account selected as the Anonymous Logon should have local Administrator privileges, including permission to perform the following tasks:

Note: To create a new User account with administrator privileges, use the Users and Groups tool in the Windows Computer Management Console.

To set or change the Anonymous Logon

  1. Type the User Name and Password of the account to use.
  2. Type the password again to Confirm.
  3. Click Submit.

 

Configuring Service Storage

Use the Storage dialog (under the System tab) to view or change connection settings for the database (SQL Server or Oracle Database) or directory service (Active Directory or ADAM) that is used as the repository for TAM E-SSO: Desktop Password Reset Adapter system questions and user enrollments.  To do this, use the settings in the System Configuration group.  When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.

You also use the Storage dialog to have TAM E-SSO: Desktop Password Reset Adapter perform the first-time setup tasks that prepare the database or directory-server repository for use with the enrollment and reset services. These tasks include:

To perform these tasks, use the controls in the Storage Configuration group:

  1. Select Initialize Storage for TAM E-SSO: Desktop Password Reset Adapter.
  2. For Connect As, type the user name of an administrator of the directory server.
  3. Type the administrator password.
  4. Click Submit to save any changes or modifications. If this is not done, any changes made will be lost when the storage page is closed.
Storage Configuration
Storage Type The type of service used: SQL Server, Oracle Database, Active Directory or ADAM.
Provide these four settings for Active Directory or ADAM storage only:

Server Name
/IP Address, Port Number

Enter either the name of the server or the IP Address of the server in the first text box. In the second text box enter the numerical port number used by the directory service. Click Add to add the connection to the Servers list. Multiple servers can be added for failover support. If more than one Server address is entered, TAM E-SSO: Desktop Password Reset Adapter iterates through the list in sequential order until either it has successfully connected or all connections have failed. 

Servers

TAM E-SSO: Desktop Password Reset Adapter attempts connections in the order they appear in the list from top to bottom. Use the up and down arrows to arrange the servers in the order in which connections should be attempted. To delete a server from the list, select the server in the list box and click the Delete button. Note that you cannot delete a connection if it is the only connection present in the list.

 

In some cases, such as long server names, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Server Name/IP Address and Port text boxes with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list.   

Server Timeout

Enter a value (in seconds) that TAM E-SSO: Desktop Password Reset Adapter should wait for a response from a server before moving on to the next server in the list.

Storage Location

The distinguished name or naming context of the connection node.

Use SSL

Select to enable secure socket layer.
Provide this setting for SQL Server storage only:

Connection String

The complete connection string to the database server; example:

Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=SSPR;Data Source=Servername;
Trusted_Connection=Yes

Click Add to add the connection to the Database Connections list. Multiple connections can be added for fail over support. If more than one connection is entered, TAM E-SSO: Desktop Password Reset Adapter iterates through the list in sequential order until either it has successfully connected or all connections have failed. 

Database Connections

TAM E-SSO: Desktop Password Reset Adapter attempts connections in the order they appear in the list from top to bottom. Use the up and down arrows to arrange the connection strings in the order in which connections should be attempted. To delete a connection string from the list, select the string  in the list box and click the Delete button. Note that you cannot delete a connection string if it is the only connection present in the list.

In some cases, such as long database connection strings, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Connection String text box with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list.   

Database Timeout

Enter a value (in seconds) that TAM E-SSO: Desktop Password Reset Adapter should wait for a response from a database before moving on to the next database in the list. This value is not used in database connections if the connection string contains a “Connect Timeout” parameter.
Provide this setting for Oracle Database storage only:
Connection String The complete connection string to the database server; example:

Provider=OraOLEDB.ORACLE;Data Source=XE;User ID=system;Password=password

Click Add to add the connection to the Database Connections list. Multiple connections can be added for fail over support. If more than one connection is entered, TAM E-SSO DPRA iterates through the list in sequential order until either it has successfully connected or all connections have failed. 

Database Connections
  1. From the <SSPR Server install>\WebServices directory (for example, C:\Program Files\IBM\TAM E-SSO DPRA\WebServices), locate the OracleTables.txt file and copy it to the Oracle DBMS workstation.
  2. On the Oracle DBMS workstation, run the OracleTables.txt file, which will create the tables in Oracle that are necessary for the TAM E-SSO DPRA storage repository.

    Note:
    Running this script will delete and re-create any existing SSPR tables in Oracle DBMS.

    In the TAM E-SSO DPRA Console, go to System > Storage. Select Oracle as the storage type.
  3. Enter the connection string as noted above.

TAM E-SSO DPRA attempts connections in the order they appear in the list from top to bottom. Use the up and down arrows to arrange the connection strings in the order in which connections should be attempted. To delete a connection string from the list, select the string  in the list box and click the Delete button. Note that you cannot delete a connection string if it is the only connection present in the list.

In some cases, such as long database connection strings, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Connection String text box with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list.

Database Timeout Enter a value (in seconds) that TAM E-SSO DPRA should wait for a response from a database before moving on to the next database in the list. This value is not used in database connections if the connection string contains a “Connect Timeout” parameter.
Storage Initialization
Initialize Storage for TAM E-SSO: Desktop Password Reset Adapter Activates the first-time configuration tasks. If this option is checked, TAM E-SSO: Desktop Password Reset Adapter automatically iterates through the new connections in the list and attempts to initialize them sequentially. If a connection fails to initialize, initialization stops and connections further down in the list will not be initialized. If this occurs, resolve the issue and then retry initialization.
Connect As (User Name) The user name of a directory/database Administrator.
Password The password of the administrator.

 

Configuring the Reset Service Account

Use the Reset Service dialog (in the System tab) only to specify the credentials (username and password) of the user account that the TAM E-SSO: Desktop Password Reset Adapter reset service uses to log on. The Service Account must have password-change privileges for the domain.

Notes:

The Reset Service dialog also displays the current status of TAM E-SSO: Desktop Password Reset Adapter (Running or Not Running), and the port that the service uses to detect a password reset attempt.

Change service account
User Name The user name of the Reset Service Account
Password and
Confirm Password
The password of the Reset Service Account. Type the password in both fields.
Service Options
Listening Port The number of the port used to detect password reset activity (default 45000).
Domain The trusted domain where user accounts are located. This setting is required only if the user accounts are in a domain other than that of the TAM E-SSO: Desktop Password Reset Adapter machine’s domain. Note: Changes to this setting take effect immediately and do not require a restart of the IIS or Password Reset Service.

Multi-Domain Support

You can configure TAM E-SSO: Desktop Password Reset Adapter to reset Windows passwords and unlock Windows accounts in its own domain or any domain you designate as trusted.

Multi-domain support requires the following conditions:

Setting Up Multi-Domain Support

In the Management Console, select the domain you want to designate as trusted from any of the following screens.

When you make a domain selection on any one of these screens, that change is reflected in all the other screens. The domain that you select is saved in the registry value, HKLM\SOFTWARE\Passlogix\SSPR\SSPRService\DisplayDomain.

When performing queries again a trusted domain, you may receive the error message: “The server is not operational.” This can occur if the guest account on the trusted domain is turned on, because that account does not have the rights to enumerate users.

To eliminate this error, do one of the following:

Connectors

Use the Connectors dialog (in the System tab) to specify the connector to use with TAM E-SSO: Desktop Password Reset Adapter (IBM Tivoli Identity Manager [ITIM] is the only available connector).

 

This feature allows TAM E-SSO: Desktop Password Reset Adapter users to enroll to the ITIM Challenge/Response system through the TAM E-SSO: Desktop Password Reset Adapter Enrollment client.  This feature also allows them to reset their Windows password or unlock their Windows account through the TAM E-SSO: Desktop Password Reset Adapter Reset client by answering the ITIM Challenge/Response questions.

When ITIM is selected, a logon page is added to the user's Enrollment process.  This page appears after the user clicks the “Enroll” button (to start the enrollment process).  TAM E-SSO: Desktop Password Reset Adapter uses the credentials to authenticate to ITIM and to relay the user’s enrollment answers to ITIM.

Select the connector from the Selected Connector drop-down box.

Note: Switching between connectors takes effect immediately. IIS does not need to be restarted. See the TAM E-SSO: Desktop Password Reset Adapter Server Installation and Setup Guide for instructions on configuring the ITIM connector.

 

Editing Reset Service Settings

Use the Settings dialog (under the Settings tab) to modify general settings for the Reset Quiz. When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.

Also see Configuring Reset Authentication for more information.

Service Settings
Authentication thresholds
Authentication Success Level The score (the point-value total achieved for the quiz) that end users must achieve in order to reset their passwords. The default value is 100.
Authentication Failure Level The minimum (negative) score that end users can accrue. If the end user's score falls below this setting, the Reset Quiz ends without a password reset. The default value is 100.
Reset Lockout
Lockout Thresholds The number of consecutive unsuccessful reset attempts permitted. If an end user fails the Reset Quiz this number of times in a row, no further Reset Quiz attempts are permitted for the Lockout Duration interval.
Lockout Duration The time period, in hours, that an end user is not permitted to take the Reset Quiz. The Lockout Duration begins when the end user consecutively fails the Reset Quiz the number of times given for Lockout Thresholds.

Note: To override lockout for individual end users, click the Users tab, select the end user form the list, then click the Unlock button

Forced Enrollments
Deferrals allowed The maximum number of times a user can defer TAM E-SSO: Desktop Password Reset Adapter enrollment.  When the user exceeds the maximum number of deferrals they will not be allowed to log on until they complete the enrollment process.
User Emails
Required during enrollment Controls whether or not users are required to enter their email address during the enrollment process.
Email format (regular expression) Controls the valid format of the user email address.  The default setting allows for most acceptable email formats.
Reset Experience
Show 'Unlock account option' only Controls whether or not users are given the option to unlock their account rather than reset their password. This option is presented after a user passes the Reset Quiz.
Enable 'Display temporary password' mode Controls whether or not TAM E-SSO: Desktop Password Reset Adapter should allow the end user to reset the password regardless of the Active Directory password policy. With this checkbox enabled, TAM E-SSO: Desktop Password Reset Adapter overrides any AD restrictions that are in place and provides the user with a temporary password. The user can then logon with that temporary password and change it through Windows.
User question settings
Minimum  The minimum number of user questions the end user must create in order to complete enrollment.
Maximum  The maximum number of user questions the end user can create.
Correct response weight  The number of points added to the score if a user question is answered correctly.
Incorrect response weight  The number of points deducted from the score if a user question is answered incorrectly.
Locations (distinguished name)
User Root The distinguished name of the root directory for user objects.
Service configuration The distinguished name of the directory.

Setting a Password Policy

Use the Password Policy dialog (under the Settings tab) only to adjust the password constraints to make certain that they match or are within the constraints of the Group Policy of the Windows domain. This setting does not apply to end- user passwords (see Note, below). In typical usage (that is for typical Group Policies), these settings need not be changed.

When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.

Note: In order for TAM E-SSO: Desktop Password Reset Adapter to reset end user passwords, it performs an intermediate reset, using a internally-generated password that must conform to the domain's Group Policy. The policy settings in this dialog apply only to that intermediate password, not to end-user passwords.

Password Constraint Options
Constraints
Minimum Length Minimum internal password length:  1-63 (default: 16)
Maximum Length Maximum internal password length:  1-63 (default: 16)
Number of times characters can repeat 0-62, default: 7
Alphabetic Characters
Allow Uppercase characters Select to allow uppercase characters (default: allowed)
Allow lowercase characters Select to allow lowercase characters (default: allowed)
Numeric Characters
Allow Numeric Characters  Select to allow numeric characters (0-9), (default: allowed)
Minimum Occurrences 1-63, default: 1
Maximum Occurrences 1-63, default: 1
Special Characters
Allow Special Characters  Select to allow special characters (non-alphabetical, non-numeric) (default: not allowed)
Minimum Occurrences 1-63, default: 1
Maximum Occurrences 1-63, default: 1
Special Characters List Characters that may be used (default: !@#$%^&*()_-=+[]\|.?)

Setting Up Alert Events

Use the Alerts dialog (under the Settings tab) to configureTAM E-SSO: Desktop Password Reset Adapter to notify an administrator by e-mail when specified events occur, such as an end user is "locked out"; that is, prevented from taking the Reset Quiz because of one or more failures to pass the quiz.

All of the fields on this dialog must be completed in order to activate the e-mail alert.

To test your settings, click Send Test Email. When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.

E-mail Settings
Enable e-mail alerts Select to activate email alerts
"From" e-mail address The e-mail address that originates the alert; this can be any valid email address for SMTP mail server specified below.
Admin e-mail address The e-mail address of the admin to which the alerts will be sent.
Admin name (displayed in emails) The name of the admin to which alerts will be sent to. This name will be displayed in the emails.
SMTP mail server The name of the outbound mail server.
Send Alert When User:
Fails a reset attempt Select who should receive email alerts if a user fails a reset attempt, Admin and/or User.

This field is only active if Enable Email Alerts is selected.

Also see Editing System Settings for the lockout controls.

Successfully resets password Select who should receive email alerts if a user successfully resets their password, Admin and/or User. This field is only active if Enable Email Alerts is selected.

Logging

Use the Logging dialog (under the Settings tab) to configure TAM E-SSO: Desktop Password Reset Adapter to enable logging, to specify the Syslog server and port, and to select the types of events that should generate Syslog messages. This logging feature allows TAM E-SSO: Desktop Password Reset Adapter to generate Syslog messages so that administrators can receive notifications of user enrollment and reset events. TAM E-SSO: Desktop Password Reset Adapter generates the Syslog messages which are received by a Syslog listener. This enables the administrator to see the activities of TAM E-SSO: Desktop Password Reset Adapter users.

Enter the following information and click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.

Syslog Settings
Enable If checked, Syslog logging will be enabled.
Server Name/IP Adress The name or IP address of the Syslog server.
Server Port The port where the Syslog server is listening for Syslog messages (default port is 514).
Event Filters:
Start If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user begins an enrollment or reset session.
Cancel If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user cancels an enrollment or reset session.
Success If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user successfully completes an enrollment or reset session.
Fail If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user fails the reset session.
Locked Out If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user gets locked out of the TAM E-SSO: Desktop Password Reset Adapter system (by failing too many reset quizzes).

Customizing the Enrollment User Interface

Use the Enrollment UI dialog (under the Settings tab) to customize the Enrollment Interview User Interface.

You can edit the look and feel of all TAM E-SSO: Desktop Password Reset Adapter Client pages (the Enrollment and Reset interviews, not the Management Console).  This page allows you to adjust colors, fonts & logos on the Enrollment UI.

Logo
Image Select the logo image to appear in the top left area of the Enrollment UI.  Click the ... button to launch the Edit Property dialog. Highlight the desired image and click OK.

For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder.

Note: There is no size requirement for this image. For reference, the IBM enrollment logo is 146x47.
Status Panel
Text Color Select the text color to be displayed for the text in the status panel. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Background Select either a background image or solid color for the status panel.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image. For reference, the IBM status panel background image is 408x28.

Buttons
Normal Color Select the normal color for buttons in the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Hover Color Select the hover color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Text Color Select the text color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Top Panel
Text Color Select the text color to be displayed for the text in the top panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Background Select either a background image or solid color for the top panel.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image. For reference, the IBM top panel background image is 408x47.

Page
Background Select either a background image or solid color for the page background.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image.

Border Color Select the border color for the page.  Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Text Font Select the font to be used for the Enrollment UI.  Click the ... button to launch the Edit Property dialog.

Highlight the desired font and click OK.

Note: The font list is generated from fonts installed on the TAM E-SSO: Desktop Password Reset Adapter Server.  To add a font to the list, install it on the server.

Main Panel
Text Color Select the text color to be displayed for the text in the main panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Background Select either a background image or solid color for the main panel.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image. For reference, the IBM main panel background image is 408x273.

Side Panel
Normal Text Color Select the text color for the normal text in the side panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Current Step Text Color Select the text color for the current step text in the side panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Background Select either a background image or solid color for the side panel.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image.

Customizing Reset User Interface

Use the Reset UI dialog (under the Settings tab) to customize the Reset User Interface.

You can edit the look and feel of all TAM E-SSO: Desktop Password Reset Adapter Client pages (the Enrollment and Reset interviews, not the Management Console).  This page allows you to adjust colors, fonts & logos on the Reset UI.

Window
Border Color Select the border color for the reset window.  Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Background Select either a background image or solid color for the reset window.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image. For reference, the IBM reset window background image is 450x350.

Normal Text Color Select the text color for the normal text in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Help Link Color Select the text color for the help link in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Error Color Select the text color for error messages that appear during the reset process. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Version Info Color Select the text color for version information shown on the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Buttons
Normal Color Select the normal color for buttons in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Hover Color Select the hover color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Text Color Select the text color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK.
Logo
Image Select the logo image to appear in the reset window.  Click the ... button to launch the Edit Property dialog. Highlight the desired image and click OK.

For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder.

Note: There is no size requirement for this image. For reference, the IBM reset logo is 106x29.
Page
Background Select either a background image or solid color for the page background.  Click the ... button to launch the Edit Property dialog. Select the desired Property Type: Image or Solid Color. If Image is selected, highlight the desired image. For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate RGB color values or color #. Click OK.

Note: There is no size requirement for this image.

Text Font Select the font to be used for the Reset UI.  Click the ... button to launch the Edit Property dialog.

Highlight the desired font and click OK.

Note: The font list is generated from fonts installed on the TAM E-SSO: Desktop Password Reset Adapter Server.  To add a font to the list, install it on the server.

 

Creating and Editing System Questions

Use the Questions tab to review and modify the current set of system questions. You can create new questions, set their language, set their point-values, set Required/Optional status, set answer sources and validity checks on the end user's answers, and select Users and Groups to allow or deny access.

You can modify the text of existing questions, the language of existing questions, the weights of existing questions, and you can also disable system questions; that is, remove them from the Enrollment Interview. Questions that you disable from the Enrollment Interview will still appear in the Reset Quiz to end users who have already provided answers to the disabled question, but they will no longer be presented to users who subsequently enroll or re-enroll.

[Caveats/limits on modifying existing questions] 

See Setting up the Enrollment Interview for more information.

To create a new system question

  1. In the Questions tab, select the Language to enter the question.
  2. Click New Question. The question settings dialog appears.
  3. Type the Question Text. Note that the Question Text is the only setting that can be modified when this question is created.
  4. For Correct Response Weight, enter the number of points to add for a correct answer.
  5. For Wrong Response Weight, enter a negative number, the points to subtract for an incorrect answer.
  6. Do one of the following:
  7. Do one of the following:
  8. Select an Answer Source.
  9. For Minimum Answer Length, type a  number, the minimum number of characters allowed for a valid answer.
  10. (optional) For Answer Format type a format (as a regular expression) that will control the valid format of the answer.
  11. Do one of the following:
  12. Select the Users and Groups to allow or deny access to the question.
  13. Do one of the following:

To modify or disable a system question

  1. In the Questions tab, select the Language to modify the question in.
  2. Click a question. The question settings dialog appears.
  3. Do any or all of the following: 
  4. Click Modify to save your changes, or click Cancel to abandon your changes, and return to the Questions tab.
Changing Question Weights

The weight of a question may be modified if it is determined to be more or less effective in the reset test. A possible ramification of modifying a correct response weight after a question has been created is that enrolled users may not be able to pass the reset test due to an insufficient score, even if they answer all the questions correctly. In attempt to prevent such an occurrence, if a correct response weight is changed, a dialog appears which presents the option to:

Modify this question: If this option is selected, the change will be made to this question. Note that users who answered this question during enrollment may not be able to reset their password if the correct response weight is set too low.

or

Disable this question and create a new question:  Disables this question and creates a new question with the changes. The benefit is that currently enrolled users will not be affected by the changes. Note that disabled questions are shown as “disabled” (grayed out) in the System Questions list.

System Question Settings

See Question Examples for suggested text and settings for system questions.

Question Properties
Question Text The text of the question as it is displayed to the end user. Include formatting instructions or examples. For instance, if asking for a telephone number, provide an example, such as "(333) 555-1234" to insure consistency between the Enrollment Interview and the Reset Quiz.
<Language> Text Enter the tranlated question text into this field.
Points (weights)
Correct Response Weight Specify the number of points to add to the end user's score if the question is answered correctly. If modifying this field, see Changing Question Weights above.
Wrong Response Weight Specify a negative number to indicate the number of points to deduct from the end user's score if the question is answered incorrectly. If modifying this field, see Changing Question Weights above.
Required If checked:  This is a Required question. The end user must provide an answer to the question in order to complete enrollment. A Required question is always used in the Reset Quiz.

If unchecked:  This is an Optional question. The end user can skip this question in the Enrollment Interview, in which case the question will not be used in this end user's Reset Quiz. If the end user supplies an answer to an Optional question, the question is used in the Reset Quiz only after all Required questions have been asked.

Enabled If checked: This question is used in the Enrollment Interview and in the Reset Quiz.

If unchecked:  This question is not used in the Enrollment Interview. It is used in a Reset Quiz only if 1) it has previously been enabled and 2) if the end user has answered the question in an Enrollment Interview.

Answer constraints
Answer Source Specify the source from which the answer to this question should come. The default, User supplied, should be selected if the end user will supply the correct answer in the Enrollment Interview. An external validator source can also be used.
Minimum Answer Length  Specify the minimum number of characters the end user must type as an answer.
Answer Format Specify the format and punctuation for the answer using a regular expression. For example, you can specify the date format "12/1/1983" with the expression
    \d*\d/*\d\d/\d{4}

(allowing the entry of single or double-digit month and day and requiring a four-digit year). If you want to require the end user to type a Social Security number with dashes, use the expression
   \d{3}-\d{2}-\d{4}
Case Sensitive If checked: The end user's answer is checked for consistent use of upper- and lower-case characters.

If unchecked: The end user's answer is not checked for consistent use of upper- and lower-case characters.

Access Control
Users and Groups System questions can be assigned to particular roles or user groups.  Role/Group assignment determines the questions a user will be presented with during the enrollment interview.

The Users and Groups list is populated with the domain’s groups, which are not currently assigned Allow or Deny access for the given question. Individual users are also populated in this list  if the Show Users box is checked.

When a user or group is selected, the arrow buttons (<< and >>)  become active. Use the arrow buttons to move users back and forth between the Users and Groups list and the Allow and Deny lists.

When Create or Modify is clicked, the Role/Group access rights are written to the backend storage for the system question. 

The rules for Access Control are as follows:

  • If Allow and Deny lists are unpopulated, all users and groups are granted access.

  • If any user or group is in the Deny list, and the Allow list is empty, all users and groups are denied access.

  • If any user or group is in the Allow list, and the Deny list is empty, all users and groups are allowed access.

  • If any user or group is in the Deny list, and any user or group is in the Allow list, only the users and groups that are in the Allow list and not in the Deny list are allowed access.

Show Users

If checked: Individual users are shown in the Users and Groups list.

If unchecked: Individual users are not shown in the Users and Groups list.

Allow This list contains users and groups that will have to answer the question during the enrollment interview.
Deny This list contains users and groups that will not have to answer the question during the enrollment interview.

Note: By default, if any user or group is denied access, all users and groups are denied access except those specified in the Allow list.

Manage Users

Use the Users tab to generate a report on the enrollment status of end users. This generates a report on whether or not users have completed the Enrollment Interview, the date/time of enrollment, and whether or not the user is currently locked out.

To generate a report, select the appropriate display options. Select Export to save the report as a CSV file or click Search to generate and display the report in the Web browser.

Display Options
Show users that are: Select the users to generate a report on: Enrolled, Not Enrolled, or Both.
Show date/time of enrollment Select to display the date and time of enrollment. Enabling this may slow down report generation time.
Enrollment Status Report Results
Username Click a User Name to view additional details about a particular end user's TAM E-SSO: Desktop Password Reset Adapter activity:
  • The end user's current enrollment status.
  • Whether the end user has been locked out of the reset service for having repeatedly failed the Reset Quiz; the number of permitted consecutive failures and the duration of the lockout are set in the Settings dialog (under the Settings tab). If you want to lock out this user, click Lock. If the user has been locked out, you can override the lockout by clicking the Unlock button.
  • The end user's email address.
  • The end user's enrollment history, including the date and time of each enrollment or enrollment attempt, outcome of the enrollment session (Enrollment State) and the aggregate point-values for all questions answered in each session.
  • The reset activity for this end user, including date and time of each Reset Quiz taken, the Quiz outcome (Reset State), the Quiz score, and the IP address of the workstation used to take the quiz.
Delete Checkbox Select to delete user. Check box next to User Name to select all users for deletion. Click Delete.
Enrolled
  • Users whose Enrolled status is Yes (or a Date/Time) have successfully completed the Enrollment Interview at least once. The date/time is displayed if the Show date/time of enrollment field was selected.
  • Users whose Enrolled status is No began the Enrollment Interview, but abandoned the interview (by clicking Cancel) before completing it.
Locked Out
  • Users whose Locked Out status is Yes have been locked out of the reset service for having repeatedly failed the Reset Quiz; the number of permitted consecutive failures and the duration of the lockout are set in the Settings dialog (under the Settings tab). If the user has been locked out, you can override the lockout by selecting the Username and then clicking the Unlock button.
  • Users whose Locked Out status is No have not been locked out. If you want to lock out this user, select the Username and then click Lock.

 

View Enrollments

Use the View Enrollments dialog (under the Enrollments tab)  to view the enrollment log. This log records all enrollment activity for all users who have taken (or at least started) the Enrollment Interview, the current enrollment status for each end user, the total point-values of all system questions (Required and Optional) that the end user answered during enrollment, and the date and time of each enrollment activity.

To view log entries within a specific date range, type a Start Date and an End Date  (or click the Choose button to select a date from a pop-up calendar), then click Submit.

See Setting up the Enrollment Interview for more information.

Manage Enrollments

Use the Manage Enrollments dialog (under the Enrollments tab) to export or delete enrollment log entries within a specified date range.

  1. Type a Start Date and an End Date for the date range (or click the Choose button to select a date from a pop-up calendar).
  2. Select an Action:
  3. Click Submit.

See Setting up the Enrollment Interview for more information.

View Resets

Use the View Resets dialog (under the Resets tab) to view the reset log. The record for each Reset Quiz given shows the username, the date and time of the quiz, the Quiz score, the current reset status, and the IP address of the workstation used to take the quiz.

To view log entries within a specific date range, type a Start Date and an End Date  (or click the Choose button to select a date from a pop-up calendar), then click Submit.

Reset Status

Change_Done

Completed_Declined

Request_Cancelled

Finished_withdrawn

Finished_failed

Started_Pressed_Cancel

See Configuring Reset Authentication for more information.

Manage Resets

Use the Manage Resets dialog (under the Resets tab) to export or delete reset log entries within a specified date range.

  1. Type a Start Date and an End Date for the date range (or click the Choose button to select a date from a pop-up calendar).
  2. Select an Action:
  3. Click Submit.
    • If you have selected Export to File, the File Save dialog appears. Type a file name and click OK.

See Configuring Reset Authentication for more information.