mypassword administrator's guide enterprise
TRANSCRIPT
-
8/17/2019 MyPassword Administrator's Guide Enterprise
1/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 3 | P a g e
Administrator’s Guide
-
8/17/2019 MyPassword Administrator's Guide Enterprise
2/64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
3/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 5 | P a g e
Table of Contents
Overview ...................................................................................................................................................... 7
Prerequisites................................................................................................................................................................................7
myPassword Features ........................................................................................................................... 8
LanguageSupport...................................................................................................................................................................8
rDirectoryIntegration..............................................................................................................................................................8
PasswordPolicyGuardianIntegration..........................................................................................................................8
AccessMethods........................................................................................................................................................................9
SecurityFeatures...................................................................................................................................................................10
CrossBrowserSupport......................................................................................................................................................12
ThemableUserInterface...................................................................................................................................................12
Configuring myPassword ................................................................................................................... 13
LogontorDirectory..............................................................................................................................................................13
TheNamescapeDesigner...............................................................................................................................................14
myPasswordAdministration............................................................................................................................................15
Reports........................................................................................................................................................................................29
Accessing myPassword ...................................................................................................................... 37
AccessMethods.....................................................................................................................................................................37
EntryPages...............................................................................................................................................................................40
AccessModesandArguments......................................................................................................................................41
Using myPassword................................................................................................................................ 43
MainPage.................................................................................................................................................................................43
Captcha......................................................................................................................................................................................44
ResetmyPassword..............................................................................................................................................................45
UnlockmyAccount..............................................................................................................................................................50
ChangemyPassword.........................................................................................................................................................51
EditmyProfile..........................................................................................................................................................................52
-
8/17/2019 MyPassword Administrator's Guide Enterprise
4/64
N a m e s c a p e | m y P a s s w o r d
6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Enforcing Enrollment ............................................................................................................................ 53OnrDirectoryaccess...........................................................................................................................................................53
OnLogonwithProfileValidator.exe..............................................................................................................................53
Appendix A: Customizing myPassword ........................................................................................ 55
ClientCustomization............................................................................................................................................................55
AddingamyPasswordlinktotheOutlookWebAccessLogonPage.......................................................57
RedirectingtheIWAfailedlogonpagetothemyPasswordsite..................................................................62
HowtochangethelanguageinmyPassword......................................................................................................64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
5/64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
6/64
N a m e s c a p e | m y P a s s w o r d
8 | P a g e A d m i n i s t r a t o r ’ s G u i d e
myPassword Features
Language SupportmyPasswordshipswithEnglish,German,SpanishandFrenchlanguagesupport.Todisplay
myPasswordinoneoftheselanguages,simplychangeyourbrowsersettingstodisplaythe
desiredlanguage.Ifyourequirealanguagethatisnotincluded,pleaseseeHowtoChange
theLanguageinmyPasswordinAppendixA–CustomizingmyPassword.
rDirectory IntegrationAlthoughmyPasswordmaybelicensedandusedwithoutrDirectory,thenaturalsynergyof
thesetwoproductsformsanevenmorepowerfulpasswordmanagementsolution.Combining
rDirectorywithmyPasswordprovidesthefollowingadditionalbenefits:
Help Desk Password Management Solution
WithrDirectoryintegration,yougetacompleteHelpDeskpasswordmanagementsolution
thatallowsyourhelpdeskstafftoquicklylocateauserprofileandsecurelyverifytheuser’s
identitybeforeresettingtheirpasswordorunlockingtheiraccount.Auditlogsandemail
noticesrecordwhoresetwhichaccountandwhen,andsincedelegationisdonethrough
rDirectory,theHelpDeskstaffdoesnotrequireadministratorpermissions.Inaddition,
featuressuchasgroupmanagementcanalsobeeasilydelegatedtotheHelpDesk.
Flexible Delegation of Password Management
TheflexibleRoleBasedAccessControl(RBAC)modelofrDirectoryprovidesmanymore
delegationoptionsthanjustallowingmembersofahelpdeskgrouptomanageeveryone’s
passwords.Forexample,youcanalsograntaccesstomanagepasswordsandaccounts
basedonrelationships,suchasauser’smanager.
Enforced Profile Data Integrity Check
WhencoupledonlywithmyPassword,theProfileValidatortoolcanbeconfiguredtorequire
userstofillintheirQuestionandAnswerPasswordResetProfileuponlogon.However,
whenmyPasswordiscombinedwithrDirectory,theProfileValidatortoolcanalsorequire
userstofillinorcorrectvirtuallyanyotherattributeintheirprofiles.
Password Policy Guardian IntegrationWhenPasswordPolicyGuardianisinstalledalongsidemyPassword,userswillreceivean
immediate,detailedexplanationwhyapassworddoesnotmeettheapplicablecomplexity
policiesintheeventapasswordchangeorresetfails.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
7/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 9 | P a g e
Access MethodsmyPasswordsupportsmultipleaccessmethodsforuserswhoneedtoresetorchangetheir
password.
Windows Logon Form - GINA-Enabled or GINA-Free
UserscanaccessmyPassworddirectlyfromtheirWindowsLogonForm,usingeithertheGINA-
EnabledorGINA-Freeaccessmethods.ThemyPasswordGINA.dllwillmodifytheuser’s
WindowsLogonForm,providingtheuserwithaconvenient,directlinktomyPassword,without
theneedtologontoWindows.However,sinceusingGINAextensionscanbeproblematicin
someenvironments,myPasswordalsoincludesaGINA-FreemethodtoaccessmyPassword
directlyfromtheWindowsLogonFormusingaRestrictedAccessAccount.
TheRestrictedAccessAccountmethodisabestpracticerecommendedbyMicrosoft,andhas
significantadvantagesoverthetraditionalGINA.dllmethod.WithaRestrictedAccessAccount,
userscanlogonusingthesealternatecredentials,yetbesecurelylimitedtoonlythe
myPasswordsite.Thekeyadvantagesofthismethodarecentralizedmanagement,simplified
accessforroamingandmobileusers,andbecauseareplacementGINA.dllisnolonger
required,thepossibilityofaconflictwithotherauthorizationextensions,suchasbiometricsor
networkdrivers,iseliminated.
AWindowsLogonPromptutilityisprovidedwhenusingtheGINA-freeaccessmethod,
allowingyoutoaddacustommessagetotheuser’sWindowsLogonForm,instructingthemto
logonastheRestrictedAccessAccountwhentheyneedtoresettheirpassword.
Outlook Web Access Logon Form
AlinktomyPasswordcanbeaddeddirectlytotheOutlookWebAccessLogonformusingthe
ReturnURLAccessMode.Thisaccessmethodprovidesremoteuserswiththesameaccessto
myPasswordasuserswhologonusingtheWindowsLogonForm.Remoteuserscanedittheir
PasswordResetProfile,unlocktheiraccountandchangeorresettheirpassword.
Portal or Web Pages
SincemyPasswordiswebbased,it’seasytointegrateintoanexistingportalorcorporateweb
site.UsingtheReturnURLAccessMode,myPasswordcanbeconfiguredtoreturnuserstothe
originatingpageuponcompletionofapasswordmodificationorinactivitytimeout.
Mobile Access
myPasswordalsoincludesfullsupportforpasswordmanagementusingsmartphonesor
tablets.WhentheURLisaccessedbyaphoneortabletbrowser,myPasswordwill
automaticallydetectamobiledeviceanddisplaythecustomizablewebapp,ratherthanthe
standarddesktopsite,withoutfurtherconfiguration.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
8/64
N a m e s c a p e | m y P a s s w o r d
1 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Direct Access Methods
Allofthestandarddirectaccessmethods,suchaskioskorworkstation,arealsoavailable.The
securityfeaturesofmyPasswordalsoallowyoutoconfidentlymakemyPasswordavailable
publiclyontheinternet.
Web Front End
ThemyPasswordWebFrontEnd(WFE)isasimplewebclientdesignedtoresideonanIIS
serverlocatedinyourDMZ.CoupledtoanappropriatelyconfiguredmyPasswordProxyServer
locatedonyourinternalnetwork,theWFEallowsuserstochangeorresettheirpasswords
fromtheinternet,withoutfearofexternallyexposingyourActiveDirectory.
Security FeaturesWhileaself-servicepasswordresetproductlikemyPasswordcansavecountlesshoursoftime
forendusersandhelpdeskstaff,itcanalsobeatargetforintrudersseekingtotake
unauthorizedcontrolofsomeone’saccount.Forthisreason,myPasswordisdesignedwith
securityinmindandincludesthefollowingsecurityfeatures:
Force Two Factor Authentication with External Email Address
Inadditiontoprofilevalidation,myPasswordcanforcetheuseofexternalemailverification
beforeauserisallowedtounlocktheiraccountorresettheirpassword.
Toforcethisformofauthentication,threeconditionsmustbemetinthemyPassword
configuration:
1.
EmailVerification isenabled.
2.
DenyForUserswithNoProfile isenabled.
3. IfProfileExists,RequireAnswers isselected.
Ifthesethreeconditionsaremet,auserattemptingtounlocktheiraccountorresettheir
passwordmustfirstanswertheirprofilevalidationquestions.
Oncethequestionshavebeenansweredcorrectly,anemailwillbegeneratedandsenttoan
externalemailaddressdefinedontheiruseraccount.Theusermustclickthelinkintheemail,
andonlythenwilltheybeallowedtoperformtheUnlockorResetaction.
Intrusion DetectionmyPasswordincorporatesseveralmeansofdeterring,detecting,andblockingaccessto
intruderswhomayattempttousemyPasswordtogainillicitaccesstoanaccount.Ifexcessive
failuresaredetectedwhenansweringquestionsorauthenticatinganaccount(usedinProfile
Edit,PasswordChange,orVouching),accesstomyPasswordcanberestrictedbyblockingthe
intruder'sIPaddress,blockingthecompromisedaccount,and/orsendingemailalertsto
immediatelynotifysecuritypersonnelofapotentialattack.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
9/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 11 | P a g e
Question Presentation
Questionsarepresentedsequentiallyforadditionalsecurity.Inotherproducts,allquestions
arepresentedonasinglepage,givinganintrudertheopportunitytoimmediatelyknowthe
informationneededtosuccessfullymodifyapassword.Bypresentingonlyasinglequestionat
atime,sociallyengineeringanswersbecomesmuchmoredifficultandtimeconsuming.
Inactivity Timer
AninactivitytimerprovidesadditionalsecuritytomyPasswordbyautomaticallyloggingthe
currentuseroutofmyPasswordandreturningthemtothemainmenuifakeystrokeormouse
movementisnotdetectedforapredefinedperiodoftime.Inkioskmode,theinactivitytimer
guaranteesmyPasswordisreturnedtothemainmenuwhenleftunattended.IfmyPasswordis
usingtheGINA-freeaccessmethodwithaRestrictedAccessAccount,theinactivitytimerwill
logoffoftheRestrictedAccessAccountandreturntothenormalwindowslogonwhenthe
timerexpires.
Audit Logging / Email Notification
myPasswordrecordsthe‘who,what,when,andwhere’ofallmyPasswordrelatedactivityand
canbeconfiguredtostorethisvaluabledatainboththeservereventlogsandthemyPassword
reportingdatabase.
myPasswordcanalsobeconfiguredtosendemailnotificationstothemodifiedaccount,their
manager,oranadministratorforadditionalsecurity.Aspecialemailnotificationisgenerated
whenapotentialintrusionisdetectedandcanbesenttoanadministratororsecurity
personnel.
Password Reset Profile Rules
WithmyPassword,youcancreaterulesetstoapplyuniquePasswordProfilePoliciesto
determinethequestionsandrequirementsforcreatingaPasswordResetProfile.Thisallowsa
morestringentPasswordResetProfilerequirementforsensitiveaccounts,whileallowing
simplerPasswordResetProfilesforthosewithlowersecurityrequirements.
Password Generator
AnoptionalPasswordGeneratorcanbeusedtoautomaticallycreatenewpasswords.By
default,thepasswordgenerationfeatureusesacustomizabledictionaryofcase-sensitive
wordsthatareappendedwithnumbers(andadditionalwordsandnumbersasnecessary)
untiltheminimumpasswordlengthisobtained.Inaddition,myPasswordcangeneratea
seriesofrandomcharactersforuseasatemporarypassword.
WhenusedwiththeForce Password Change on next Logonsettingenabled,thegenerated
passwordbecomesaone-time-usepasswordthatcanbeascomplexasrequired.
WhenintegratedwithNamescape’sPasswordPolicyGuardian,thepasswordgeneratorwill
automaticallycreateapasswordthatiscompliantwithanyapplicablepasswordpolicies.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
10/64
N a m e s c a p e | m y P a s s w o r d
1 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Voucher Rules
VouchingisanoptionalfeaturethatallowssomeonewhohasnotcompletedtheirPassword
ResetProfile,orhasforgottentheiranswers,togetanotherauthorizedusertovouchforthem,
allowingtheirpasswordtobereset.WithmyPassword,youcansetupruleswheredifferentusersmaybealloweddifferentvouchers,andreceivedifferentmessagestoindicatewhocan
vouchforthem.Sincevouchingrulesleveragecustomizablerelationshipbasedroles,a
vouchermayalsobebasedonrelationshipsdefinedinthedirectory,suchasManagerorany
othercustomrelationship.
Cross Browser SupportmyPasswordsupportsthefollowingbrowserstoresetorchangepasswords,createPassword
ResetProfiles,orunlockaccounts:
• MicrosoftInternetExplorer7.0orlater
•
Safari5.0.3orlater
• MozillaFirefox3.6.3orlater
• Chrome8.0orlater
• Opera10.62orlater
ToconfiguremyPassword,theNamescapeDesignersupportsMicrosoftInternetExplorer7.0or
later.
Themable User InterfacemyPasswordincludesanumberofpreinstalledthemesthatallowanadministratortochange
theelementcolorsintheclientwithafewclicks.Inaddition,myPasswordalsosupports
customlogos,textandlanguages.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
11/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 13 | P a g e
Configuring myPassword
TheconfigurationandadministrationofmyPasswordisaccomplishedusingtheNamescapeDesigner,includedwiththerDirectoryandmyPasswordinstallation.ToconfiguremyPassword,log
ontotherDirectorywebsitewithanaccountthathasbeengrantedtheNamescapeDesignerrole.
Log on to rDirectory
IfForms AuthenticationisconfiguredfortherDirectorywebsiteusingtheSiteManager,youwillseetheabovelogonscreenwhenthesiteisaccessed.IfWindows Authenticationis
configuredfortherDirectorywebsite,youwillnotseethelogonscreenandwillbe
automaticallyauthenticated.
Ineithercase,youarerequiredtologonwithanaccountthathasbeengrantedtheDesigner
roleinthesitemanager.
NOTE: IfrDirectoryisnotlicensed,youwillbeimmediatelyredirectedtotheNamescapeDesigner
afterauthenticationandpresentedwithapartialDesignerviewcontainingonlythetree
nodesappropriateformyPassword.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
12/64
N a m e s c a p e | m y P a s s w o r d
1 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
The Namescape DesignerThetypeofappliedlicensedetermineswhatisdisplayedwhenyouaccessrDirectory.If
rDirectoryislicensed,andyouareauthorizedtoaccesstheNamescapeDesigner,youwillsee
therDirectorywebsitewithatoolbarcontaininganOpen Designerbuttonintheupperright:
ClicktheOpen DesignerbuttontoaccesstheNamescapeDesigner.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
13/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 15 | P a g e
IfyouhavequestionsordifficultyusingfeaturesintheNamescapeDesigner,selectDesigner
HelpontheDesignerHomePagetoaccessthecontextsensitivehelp.
myPassword Administration
IntheNamescapeDesignertreemenu,expandtheSettings nodeandselectmyPassword.
Youwillbepresentedwithasummarizedsettingsviewforthecurrentinstallationof
myPassword.
myPasswordsettingsmaybeconfiguredbyselectingoneofthefollowingsubordinatenodes:
General
Inthetreenavigationmenu,clickGeneraltochangetheproxysettings,limitaccessto
myPasswordwithroles,andtoenablethepasswordstrengthmeter.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
14/64
N a m e s c a p e | m y P a s s w o r d
1 6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Site
Proxy Account
AProxyAccountisrequiredforallPasswordResetandProfileEditoperationsandisconfigured
usingtheSiteManager.
Theaccountspecifiedmusthavepermissionstoresetpasswordsforalluserswhomaybe
usingthePasswordResetfeature.IfProfileEditingisenabled,thisaccountmustalsohave
permissionstoeditthePasswordResetProfileAttributeforalluserswhomaybeusingthe
ProfileEditingfeature.
Limit Access to myPassword with Roles
IfLimitAccesstomyPasswordwithRoles ischecked,andtherolesareset,onlyuserswho
satisfytherolesspecifiedwillbeallowedtousefeaturesonthemyPasswordsite.
Enable Password Strength Meter
IfEnablePasswordStrengthMeter ischecked,therelativestrengthofthepasswordwill
dynamicallyupdateinthestrengthmeterascharactersareentered.Thestrengthofa
passwordisbasedonMicrosoft'spasswordcomplexityrequirement.
Enable Inactivity Timeout
Ifchecked,thissettingallowsyoutospecifythetime(inseconds)beforemyPasswordwilltime
outduetouserinactivity.Upontimeout,theuserwillbereturnedtothemainmenu.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
15/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 17 | P a g e
Appearance
Theme
myPasswordincludesasetofcolorthemesthatcanbeusedtoaltertheappearanceofthe
myPasswordclient.Changingathemedoesnotaffectcustomizedgraphics,textorstyles.If
youdesireacolorthemenotincludedwiththeproduct,pleasecontactNamescapesupportfor
assistance.
Use Classic Dialogue Style
Whenenabled,alldialogueboxeswillbedisplayedwiththestyleofpreviousversionsof
myPassword.Thisincludesthinnerbordersandnon-roundedboxes.
FeaturesTheFeaturesnodeallowsyoutocontrolthefeaturesettingsforthemainmyPasswordpage.
Reset Password
Password Generation
ThePasswordGeneration settingdeterminesifautomaticpasswordgenerationisallowed,
required(Always)ornotavailable(Never)forPasswordResetoperations.Formoreinformation
seePasswordGenerator .
-
8/17/2019 MyPassword Administrator's Guide Enterprise
16/64
N a m e s c a p e | m y P a s s w o r d
1 8 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Use password dictionary for password generation
Ifchecked,thissettingwillgeneratepasswordsbasedonthewords,numbersorcharacters
specifiedinthepassworddictionary.
Force Password Change on Next Logon
Ifchecked,thissettingrequirestheuserswhohaveresettheirpasswordtochangetheir
passworduponnextlogon.
NOTE: Ifpasswordhistoryisenforced,thisfeatureisrecommended.Thepasswordreset
functionofActiveDirectorydoesnotenforcepasswordhistory,socleverusers
couldpotentiallyusemyPasswordtore-useoldpasswordsifthisfeatureisnot
enabled.ActiveDirectoryonlyenforcespasswordhistoryonthepasswordchange
function,sowhentheyareforcedtochangetheirpasswordonnextlogon,their
historywillre-enforce.
Enforce Password History on Reset
Ifchecked,thissettingenforcespasswordhistoryonaresetandpreventstheuserfrom
changingtheirpasswordbacktoapreviouslyusedpassword.Werecommendmodifyingyour
DomainSecurityPolicytoincreasethenumberofpasswordsremembered(atleast2xdefault
value)andsettheminimumagetooneday.
NOTE: IfyousettheminimumpasswordageinyourDomainPasswordPolicy,andauser
forgetstheirpasswordwithintheminimumage,theywillnotbeabletouse
myPasswordtoresettheirpassword.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
17/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 19 | P a g e
Unlock Account
Enable Account Unlock
IftheEnableAccountUnlock settingischecked,theUnlockmyAccountfeaturewillbe
availableonthemainmyPasswordpage.
Account Unlock Roles
IfanyAccountUnlockRoles areset,onlyuserswhosatisfytheseroleswillbeallowedtouse
thisfeature.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
18/64
N a m e s c a p e | m y P a s s w o r d
2 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Change Password
Enable Password Change
Ifchecked,thissettingenablesthePasswordChangefeatureforalluserswhosatisfyanyroles
setunderPasswordChangeRoles .IfPasswordChangeRoles arenotset,allusersmayuse
thePasswordChangefunction.
Password Change RolesThePasswordChangeRoles settingindicatesifanyrolesaresetforthePasswordChange
feature.Ifrolesarenotset,allusersmayusethePasswordChangefeaturewhenitisenabled.
Password Generation
ThePasswordGeneration settingdeterminesifPasswordGenerationisallowed,required
(Always)ornotavailable(Never)forPasswordChangeoperations.Formoreinformationsee
PasswordGenerator.
Use password dictionary for password generation
Ifchecked,thissettingwillgeneratepasswordsbasedonthewords,numbersorcharactersspecifiedinthepassworddictionary.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
19/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 21 | P a g e
Profile Edit
Enable Password Profile Edit
Ifselected,andatleastoneProfilePolicyRule isset,userswillbeallowedtocreateandedita
PasswordProfilecontainingtheirquestionsandanswers.
Profile Policy Rules
TheProfilePolicyRules buttonindicatesifanyPasswordProfileRulesaresetandwhen
selected,launchesthePasswordProfileRulesEditor.IfEnablePasswordProfileEdit is
checked,atleastonePasswordProfileRulemustbeset.
Require New Profile if older than X months
EnablingthissettingwillcausemyPasswordtopromptusersforupdatedprofilequestions
everyXmonths.Bydefault,thissettingisdisabled.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
20/64
N a m e s c a p e | m y P a s s w o r d
2 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Vouching
Enable Vouching for Users
Ifvouchingisenabled,andatleastoneVoucherRuleisset,userswillbeallowedtohave
someonetovouchforthem,ratherthanbeingrequiredtoanswerthequestionsintheir
PasswordResetProfile.Userswhohavetheoptionofsomeonevouchingforthemarelimited
withthefollowingsettings:
WithoutProfile
OnlyuserswhodonothaveaPasswordResetProfileareallowedtohavesomeone
vouchforthem.
WithProfile
OnlyuserswhohaveaPasswordResetProfileareallowedtohavesomeonevouch
forthem(I.e.incasetheycan'tremembertheiranswers).
Both
Allusers,regardlessofwhethertheyhaveaPasswordResetProfile,areallowedtohavesomeonevouchforthem.
Voucher Rules
TheVoucherRules buttonindicatesifanyVoucherRulesareset,andwhenselected,launches
theVoucherRulesEditor.Ifvouchingisenabled,atleastoneVoucherRulemustbeset.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
21/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 23 | P a g e
Intrusion Detection
AccesstomyPasswordbyanIPaddressorcompromisedaccountcanbeblockedfor
excessivefailedanswersand/orexcessivefailedauthentications.myPasswordmayalsobe
configuredtorequireaCAPTCHAentrytopreventautomatedintrusionattempts.
Examplesofafailedauthenticationincludeabadlogonnameorpasswordforanylogon
screen,afailedpasswordchange,afailedpasswordresetprofileeditoraninvalidvoucher
logon.
BoththeFailed AuthenticationandtheFailed Answerstabscontainthefollowingsettings:
Block After X Authentication Failures within X Minutes
Ifenabled,theIPaddressorcompromisedaccountwillbeblockedifthespecifiednumberof
authenticationfailuresorfailedanswersoccurswithinthetimeframespecified.Thiseventcan
initiateanemailnotice,blockaccessfromtheIPaddressforaspecifiedtime,orblockaccess
tothecompromisedaccountforthespecifiedtime.
Block IP Address for X minutes
Ifenabled,theoriginatingIPaddressisblockedforthespecifiedtimeperiodifan
authenticationfailureorfailedansweroccurs.
Block Account for X minutes
Ifenabled,thecompromisedaccountisblockedfrombeingaccessedviamyPasswordforthe
specifiedtimeperiodifanauthenticationfailureorfailedansweroccurs.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
22/64
N a m e s c a p e | m y P a s s w o r d
2 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Captcha
Captchamayberequiredinordertovalidateauserasaperson,andisdesignedtoprevent
automatedattacks.
Use Captcha before authentication
Ifenabled,auserwillbepresentedwithacaptchapagepriortobeingallowedtoentertheir
credentials.Anumberofoptionsareavailablewhenconfiguringthecaptchapage:
Usedictionarytogeneratecaptchas
Whenenabled,thecustomizablemyPasswordworddictionarywillbeusedto
generatecaptchas.Ifthissettingisnotenabled,anycaptchaspresentedwillbea
randomcombinationoflettersandnumbers.
BlockAfter
AnIPaddressmaybeblockedfromaccessingmyPasswordafterauserincorrectly
entersadefinednumberofcaptchaswithinagiventimeperiod.
BlockIPaddressforXminutesTheIPaddressofthepotentialintruderwillbeblockedforadefinedperiodoftime.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
23/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 25 | P a g e
Email Support
Email SupportallowsyoutoconfigureemailmessagingformyPassword.
Email Notification
User
Ifchecked,anemailnoticeissenttotheemailaddressoftheuserforallpasswordresets,
passwordchangesandPasswordResetProfilemodificationsmadetotheiraccount.
Manager
Ifchecked,anemailnoticeissenttotheuser'smanagerforallpasswordresets,password
changesandPasswordResetProfilemodificationsmadeagainsttheuser'saccount,provided
theaccountbeingaccessedhasamanager,andthemanagerhasanemailaddress.
Normal Operations
Ifchecked,anemailnoticeissenttotheemailaddressspecifiedforallpasswordresets,
passwordchangesandPasswordResetProfilemodificationsmadeviamyPassword.
Vouching Operations
Ifchecked,anemailnoticeissenttotheemailaddressspecifiedwheneverthevouching
featureisusedtoauthorizeapasswordreset.
Intrusion Detection
Ifchecked,anemailnoticeissenttotheemailaddressspecifiedwheneveranintrusion
detectioneventoccurs.Anintrusiondetectioneventistriggeredbyafailedanswer,failed
authenticationorfailedcaptchaentries.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
24/64
N a m e s c a p e | m y P a s s w o r d
2 6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Email Verification
EmailVerification allowsmail-enableduserswithanexternalemailaddresstobesentatime
sensitiveemail.Theemailincludesalinkthat,whenclicked,returnstheusertothefinalpage
inthepasswordresetprocesswheretheycansettheirnewpassword.
This feature is intended for mail-enabled users with external email accounts only.This
featureshouldnotbeusedwithmailbox-enabledaccountswheretheuserisrequiredtologon
toActiveDirectoryinordertoaccesstheirmailbox.
NOTE: InExchangeterminology,amailbox-enableduserissomeonewhohasan
exchangemailbox.Whereasamail-enableduserorcontacthasanemailaddress
thatpointstoanexternalmailsystemordomain.Amail-enableduserorcontact
canshowupintheGlobalAddressList,andyoucansendemailtothemwhichwill
bedirectedtotheirexternalemailaddress.Whenyoumail-enableauserorcontact
usingtheExchangetools,orusingrDirectoryandtheProvisioningAgentfor
Exchange,theexternalemailaddressispopulatedinboththenormal‘mail’
attribute,aswellasthe‘ExternalTargetAddress’attribute.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
25/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 27 | P a g e
Enable Email Verification for Users
Thissettingenablesemailverificationforthepasswordreset,passwordchangeandaccount
unlockoperation.
ForUserswithanExternalE-mailAddressIfselected,alluserswithavalueintheirtargetAddress attributeautomaticallyuse
EmailVerification.ThetargetAddress attributeisautomaticallyfilledinwhenyou
useExchangetools,orrDirectoryandtheProvisioningAgentforExchange,tomail-
enableanaccount.SeeExt_MailFieldModule underFieldModuleSettingsinthe
NamescapeDesignerHelpformoredetails.
ForUsersthatMatchRoles
Ifselected,onlyauserassignedoneoftheapprovedrolesmayuseEmail
Verification.
Deny for Users
Ifchecked,EmailVerificationisnotavailableforusersmatchingtheconditionspecified.IfWith
a Profileisselected,userswithaPasswordResetProfiledonothaveEmailVerification
available.IfWith no Profileisselected,userswithoutaPasswordResetProfiledonothave
EmailVerificationavailable.
If Profile Exists
IfauserhasacompletedPasswordProfile,thissettingdeterminesthefollowingbehaviors:
RequireAnswers
ThissettingrequiresuserswithaPasswordResetProfiletosuccessfullyanswer
theirchallenge/responsequestionsbeforetheyaresentanemaillink.Theyneedto
clickonthelinksenttothemtocompletetheoperation.
AlwaysSkip
Thissettingalwaysskipstheprocessofrequiringuserstoanswertheir
challenge/responsequestions,andsendsthemanemaillinktoverifytheiridentity.
AllowSkip
ThissettingallowsuserswithaPasswordResetProfiletheoptionofeither
answeringtheirchallenge/responsequestions,orusingtheemaillinkfeaturefor
identification.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
26/64
N a m e s c a p e | m y P a s s w o r d
2 8 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Link Timeout
Thisvaluedetermineshowlongauserhastorespondtothelinksentinaverificationemail.If
auserclicksonthelinkafterthistimeperiodexpires,theywillreceiveamessagesayingthe
linkisnolongervalid.
NOTE: Forsecurityreasons,thelinksenttoausersimplycontainsaGUID.ThisGUIDis
usedtostoreandretrieveinformationabouteachspecificEmailVerificationsession
intheapplicationcache.Thisinformationisremovedfromthecacheafterthis
amountoftime.Shouldtheserverreboot,ortheapplicationpoolofthe
myPasswordwebsiteberecycled,theinformationislostforallpastemail
verificationlinkssent.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
27/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 29 | P a g e
ReportsTheReportsnodeallowsyoutosearchforactivityinmyPasswordandrDirectory,viewactivity
summaries,andgenerateandexportactivityreportsinvariousformats.Toviewactivityspecificto
myPassword,clicktoexpandtheReportsnodeandselectmyPassword.YouwillbepresentedwiththemyPassword Activity Summary view.
Inthisview,youhavetheabilitytodisplayallactivityinmyPasswordforagiventimeperiod.To
changethetimeperioddisplayed,simplymovetheslidertotheleftorright.Thegraph,summary,
anddetailviewswillupdateautomatically.
Inadditiontothesummaryview,thereareanumberofincludedreportsthatcanbegeneratedby
myPassword,ensuringasimpleandeffectivewaytoauditpasswordeventsinyourenvironment.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
28/64
N a m e s c a p e | m y P a s s w o r d
3 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Activity Search
The Activity SearchviewprovidesafilterabledisplaycontainingdetailedmyPasswordactivity
informationinyourenvironment.ItallowsyoutofilterdownthelistofactionsbyActionType,
AccountName,DN(DistinguishedName),IPaddress ,UserAgent,Interfacetype andStart\End
Date andgenerateareportbasedonthoseresultsthatcanbeexportedtovariousformats,
includingExcel,PDFandWord.
ThedatashowninthemyPasswordActivitySearchwindowcanbedisplayedhoweveryoudesire.
Columnsmaybemoved,sorted,addedandhiddentofityourneeds.
Optionsinclude:
Sort Ascending or Descending
Clickthecolumnheadertosortthelistofactivitybyascendingordescendingorderwithinthatcolumn.Clickonceforascendingorderandagainfordescendingorder,orselectSort
AscendingorSort Descendingfromthedropdownlistofoptions.
Drop Down List of Options
Clickthedownarrowthatdisplaysnexttoeachcolumnheaderwhenselectedtoseealistof
availableoptions,includingSortAscending,SortDescendingandColumns.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
29/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 31 | P a g e
Columns
SelecttheColumnsoptionfromthedropdownlisttoshoworhidespecificcolumnsinthe
displaywindow.
PageUsethearrowkeysatthebottomofthescreentoadvancethereportresultsbypage.
Refresh
ClicktheRefreshiconateitherthetoporbottomofthescreentoupdatethefilteredresultsand
redisplaytheentirelistindescendingdateorder.
Report
SelectingtheReportbuttonwillgenerateanexportablereportbasedonyourfilteredactivity
searchresults.ThisreportcanthenbeexportedinExcel,PDForWordformats.
Filtering Results
EachcolumnintheActivitySearchrepresentsadifferentfilterusedtonarrowdowntheactivity
datasearchresults.
Action Type
Clickthedropdowntodisplayallactiontypesavailable.Placeacheckintheboxnexttothe
actionoractionsyouwishtoincludeinthefilteredresults.
Account NameThiscolumnallowsyoutofilteractivitydatabasedontheaccountthatperformedtheaction.
Toapplyanaccountnamesearchfilter,simplybegintypinginthenameoftheaccount,andif
myPasswordfindsapartialmatch,theactivityresultswilldynamicallyupdatebasedonthe
charactersastheyaretypedin.
DN (Distinguished Name)
ThiscolumnfiltersactivitydatabasedontheDN(DistinguishedName)oftheaccountthat
performedanaction.BeawarethatcertainactivitywillonlydisplaytheNamingContext,and
notthefullDN,oftheaccountthatperformedtheaction.ToselectanaccountDN,clickthe
magnifyingglasstotherightofthefieldtoopentheobjectselectordialoguebox.Locateandclickonthedesiredaccount,andclickSelecttofiltertheactivityresults.
IP Address
ThiscolumnallowsyoutofilteractivitydatabasedontheoriginatingIPaddress.
User Agent
Thiscolumnwilldisplayinformationaboutthebrowserusedtoperformthepasswordaction.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
30/64
N a m e s c a p e | m y P a s s w o r d
3 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Interface
Thiscolumnwilldisplaytheoriginatingtypeofdeviceusedtoperformthepasswordaction.
PossiblevaluesincludeDesktop,MobileorTablet.
Start and End Date
ClickthecalendariconintheDateentryboxtodisplaytheCalendarobject.Selectadatefrom
thiscalendartodisplayallactivitiesforadefinedstartandenddate.Thefilterdefaultstothe
last30daysofactivity.
Activity Report
TheActivity ReportviewdisplaysastaticfilteredlistofmyPasswordactivitiesindescendingdate
order.Thereportincludestheappliedfilter(s)andanactivitysummary,followedbyadetailed
breakdownofuseractivity.
Action Type
Clickthedropdowntodisplayallactiontypesavailable.Placeacheckintheboxnexttothe
actionoractionsyouwishtoincludeinthefilteredresults.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
31/64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
32/64
N a m e s c a p e | m y P a s s w o r d
3 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Activity Summary Report
TheActivity Summary Reportviewshowsastaticsummary,withcorrespondingpiegraph,ofall
myPasswordactivityforadefinedtimeperiod.
Settings Change Report
TheSettingsChangeReportdisplaysanysettingsthathavebeenmodifiedwithinmyPasswordfor
adefinedtimeperiod,listingtheoriginalvalueandthenewvalueforeachsetting.Thefirstpageof
thereportdisplaysasummaryandfollowswithabreakdownofchanges.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
33/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 35 | P a g e
Start and End Date
ClickthecalendariconintheDateentryboxtodisplaytheCalendarobject.Selectadatefrom
thiscalendartodisplayallactivitiesforadefinedstartandenddate.Thefilterdefaultstothe
last30daysofactivity.
Report Options
Oncethereporthasbeengenerated,youcannavigatethroughthepagesofthereportby
usingthearrowkeys.Youmayalsoexpandorshrinkthereportdisplaysizebyusingthezoom
dropdown.
Toexportthegeneratedreport,selectthedesiredformatfromthedropdownlist.Currently
availableformatsareExcel,PDFandWord.
DB Maintenance
TheDB(database)MaintenancescreendisplaysSQLdatabaseinformationandstatus,andallows
youtopurgeuseractivityfromtheSQLdatabase.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
34/64
N a m e s c a p e | m y P a s s w o r d
3 6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
ClickPurge Recordstomarkanyrecordspriortothedefineddateasinactive.Youwillbe
promptedtoconfirmtherecordswillbepurged.
ClickYes – Purge Records tomarkallselectedrecordsasinactive.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
35/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 37 | P a g e
Accessing myPassword
Access MethodsSeveralaccessmethodsareavailablewithmyPassword,includingNormal/Kiosk,MobileWebApp,
WebFrontEnd,ReturnURLandAutoClose.Anyoftheseaccessmethodsmaybesetwith
additionalURLargumentsanddirectlylinkedentrypages.Thebehaviorandbuttontextof
myPasswordwillvarydependingonthemethodinuse,andwhichentrypagetheuserfirst
accesses.
From the Windows Logon Form
myPasswordprovidesbothGINA-enabledandGINA-freemethodsofallowinguserstoaccess
myPassworddirectlyfromtheirWindowsLogonForm.
NOTE: AGINA(GraphicalIdentificationandAuthentication)isaDLLthatispushedoutto
eachworkstationandmodifiestheuser’slogonform ,providingapromptanda
directaccesslinktomyPassword.ThemanagementoftheGINAmethodisnot
consideredtobeabestpracticebyMicrosoft.However,itispreferredincertain
environments,soweprovidebothGINA-enabledandGINA-freemethods.Both
methodsarecompatiblewiththeProfileValidatortool.
GINA-free access
TheGINA-freeaccessmethodcombinesaRestrictedAccessAccountwithaWindowsLogon
Formpromptmessage.
ARestrictedAccessAccountisawell-knownaccountthatanyonecanusetologon,butwhich
hasverylimitedaccess.Usingthismethod,auserlogginginwithaRestrictedAccessAccount
istakendirectlytothemyPasswordsite,withoutbeinggrantedadditionalaccesstoanylocal
filesorresourcesonthePCorotherwebsites.
TocomplementtheRestrictedAccessAccountmethod,Namescapealsoprovidesameansto
includeacustommessagepromptatthetopofeachuser’slogonscreen,remindingthemto
usetheRestrictedAccessAccountshouldtheyforgettheirpassword.
TheGINA-freeaccessmethodprovidesanumberofadvantagesovertheGINAmethod,
includingcentralizedmanagementandeliminatingpotentialconflictsthataGINA.DLLmaycreate.
Formoredetails,see:
Installation– myPasswordRestrictedAccessAccount.pdf
Installation– myPasswordWinLogonPrompt.pdf
-
8/17/2019 MyPassword Administrator's Guide Enterprise
36/64
N a m e s c a p e | m y P a s s w o r d
3 8 | P a g e A d m i n i s t r a t o r ’ s G u i d e
GINA-enabled access
ThemyPasswordGINAwillmodifythelogonscreenusingacustomGINA.dllinstalledonevery
workstation,andwillprominentlyplaceacustomizablemessageandlinktothemyPassword
website.
Formoredetails,see:
Installation– myPasswordGINA.pdf
Outlook Web Access Logon Page
AlinktomyPasswordcanbeaddedtotheOutlookWebAccess(OWA)Logonpage,granting
remoteusersaccesstomyPassword.Usingthismethod,theReturnURLisconfiguredtoreturn
theusertotheOutlookWebAccessLogonpageuponcompletionofapasswordmodification
orinactivitytimeoutinmyPassword.
Formoredetails,seeAppendixA– AddingamyPasswordLinktotheOutlookWebAccess
LogonPage.
Company portal or web page
AdirectlinktomyPasswordcanbeaddedtoacompanyportalorwebpage,grantingremote
usersaccesstomyPassword.Usingthismethod,theReturnURLisconfiguredtoreturnthe
usertotheoriginatingportalorwebpageuponcompletionofapasswordmodificationor
inactivitytimeoutinmyPassword.
Web Front End\Public internet access
ThestrongsecurityfeaturesofmyPasswordmakeitsuitableforpublicavailability.Whenusing
theexternallyfacingWebFrontEnd,asimpleclientisinstalledonanIISserverlocatedinyour
DMZ.Thisclientisthenconfiguredtosecurelycommunicatewithaninstanceofthe
myPasswordProxyServerservicethatisdeployedonaninternalinstallationofmyPassword.
Thisarchitectureallowsforsecurepasswordmodifications,withoutthefearofexternally
exposingyourActiveDirectory.TheNormal/KioskAccessMethodisusedwhenmyPasswordis
publiclyaccessible,andtheuserisreturnedtotheentrypageuponcompletionofapassword
modificationorinactivitytimeout.
Dedicated kiosk
Adedicated,centrallylocatedworkstation,orKiosk,withaccesstomyPasswordisasolution
manycompaniesfinddesirable.Inthisscenario,theNormal/KioskAccessMethodisused,
andtheuserisreturnedtotheentrypageuponcompletionofapasswordmodificationor
inactivitytimeout.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
37/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 39 | P a g e
Shared console
Ausermaysimplygotoaco-workerormanager’sworkstationtoaccessmyPassword,which
maybepreferrediftheVoucherfeatureisenabled.
Mobile access
myPasswordalsoincludesawebappdisplaymode,allowingusersonsmartphonesortablets
toperformanyofthestandardmyPasswordoperationsinasmaller,mobiledevicefriendly
format.ThewebappiscreatedalongsidethenormalmyPasswordsiteduringinstallationand
doesnotrequireadditionalconfiguration.WhenauseraccessesthemyPasswordsitewitha
smartphoneortabletdevice,thedevicetypewillbeautomaticallydetectedandtheuserwillbe
showntheappropriateview.Becausethisisawebapp,andnotanativemobileapp,nofurther
installationorconfigurationonthemobiledeviceisrequired.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
38/64
N a m e s c a p e | m y P a s s w o r d
4 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Entry PagesTherearefivepossibleentrypagesformyPassword.ThemainmenupageisthedefaultEntryPage
whenthebaseURLformyPasswordisused.Forexample:
///myPassword
Theremainingfourpossibleentrypageseachrepresentoneoftheprimaryfeaturesfoundonthe
mainmenupage.
Main Menu Page
IftheChangePassword,PasswordReset,UnlockAccount,andPasswordProfileEditfeatures
areallenabled,usersaccessingthemainpageofmyPasswordwillseethechoicesshown
below.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
39/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 41 | P a g e
SelectingChange my Password,Reset my Password,Unlock my Account,orEdit my Profile
directstheuser,respectively,tothepagesbelow:
///myPassword/PasswordChange.aspx
///myPassword/PasswordReset.aspx
///myPassword/AccountUnlock.aspx
///myPassword/EditProfile.aspx
Ifenabled,eachofthesepagescanalsobeaccesseddirectly.Whenaccesseddirectly,these
pagesareconsideredtheEntryPageforthatuser,ratherthanthemainpage.
Access Modes and ArgumentsTherearethreeAccessModesthatmodifythebehaviorofmyPasswordoncompletionofa
passwordmodificationorinactivitytimeout.Eachmodewillhaveuniquetextdisplayedonthe
Timeout/Returnbutton,asdescribedbythetablebelow:
Access Mode Action on Completion or Timeout Timeout/Return Button Text
Normal/Kiosk ReturntoEntryPage ReturntoNow
ReturnURL ReturnstoURLspecified ReturntoNow
AutoClose CloseBrowser ReturntoWindowsLogonNow
Inallmodes,theCancelbuttonreturnstheusertotheirrespectiveentrypage.
Normal/Kiosk
NormalorKioskisthedefaultaccessmodeusedwhenadditionalURLargumentsarenot
passedintotheEntryPage.
Inthisaccessmode,theuseralwaysreturnstotheirrespectiveentrypagewhenthe
Timeout/Returnbuttonisclicked,anactioniscompleted,oraninactivitytimeoutoccurs.The
Timeout/Returnbuttontextappearsasoneofthefollowingdependingontheentrypagefor
thatuser:
ReturntotheMainMenu
ReturntothePasswordResetPage
ReturntotheChangePasswordPage
ReturntotheUnlockAccountPage
ReturntotheProfileEditPage
http://server/myPassword/PasswordReset.aspxhttp://server/myPassword/PasswordReset.aspx
-
8/17/2019 MyPassword Administrator's Guide Enterprise
40/64
N a m e s c a p e | m y P a s s w o r d
4 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
ReturnURL
TheReturnURLAccessModeisenabledbypassingina‘ReturnURL’argumentthatspecifiesa
URLtoreturntowhenanactioniscompletedoraninactivitytimeoutoccurs.Thismodeis
intendedforusewhenmyPasswordislaunchedfromanotherwebpage,suchastheOutlookWebAccess(OWA)LogonPageoracompanyportal.Anoptionalargument
‘ReturnPageName’mayalsobeaddedtocustomizethetextontheTimeout/Returnbutton.
Forexample,theURLspecifiedmightbe:
OWA Return
///myPassword?ReturnURL=https://mail.acme.com/exchange&ReturnPageName=OWALogon
Company Portal Return
///myPassword?ReturnURL=http://portal.acme.com&ReturnPageName=ACMEPortal
InthisAccessMode,theuserwillalwaysreturntotheURLspecifiedbytheReturnURL
argumentwhentheactioniscompletedoraninactivitytimeoutoccurs.
TheTimeout/Returnbuttontextdisplays‘ReturntoNow’,whereiseitherthevaluespecifiedbythe‘ReturnPageName’argument,or‘HomePage’if
the‘ReturnPageName’argumentisnotspecified.
NOTE: TheReturnPageNameshouldbeshort(
-
8/17/2019 MyPassword Administrator's Guide Enterprise
41/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 43 | P a g e
Using myPassword
ToaccessthemyPasswordsiteonceitisconfigured,entertheURLformyPasswordintoabrowser.Forexample,ifmyPasswordisinstalledasavirtualdirectoryunderthedefaultwebsiteon
aserver,thentheURLtoaccessmyPasswordwouldbeasfollows:
http:///myPassword
ThesameURLisusedforbothNormal/KioskandMobileviews.ThemyPasswordsitewill
automaticallydisplaytheappropriateviewbasedonthedetecteddevicetype.
NOTE: ThefollowingscreenshotsaretakenintheNormal/KioskandMobileAccessmodesusing
theMainMenuastheEntryPage.
Main PageIftheChangePassword,PasswordReset,UnlockAccount,andPasswordProfileEditfeatures
areallenabled,thenusersaccessingthemainpageofmyPasswordwillseethechoices
shownbelow.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
42/64
N a m e s c a p e | m y P a s s w o r d
4 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
CaptchaIfenabled,auserwillbepresentedwithaCaptchapagepriortoenteringanypersonalinformation.
Onthispage,acaptchawillbegeneratedthattheusermustcorrectlytypeintotheboxbeforethey
areallowedtoproceed.Iftheuserisunabletoreadthedisplayedcaptcha,theymayclickonthepicture,andanewonewillbegenerated.
NOTE: Captchasupportisonlyavailablewhenusingthedesktoporwebfrontendclients.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
43/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 45 | P a g e
Reset my PasswordWhenauserselectsReset my Password,orotherwiselandsonthePasswordResetpage,
theyarepresentedwiththelogonpageshownbelow.Onthispage,usersareaskedtoenter
theirWindowsaccountname.
Denied Access Pages
Afterenteringtheirlogonname,usersaredeniedaccesstomyPasswordifeitherofthe
followingconditionsexists:
1) TheuserisnotallowedaccessbythemyPasswordAccessRoles,or
2)
TheuserhasnotfilledintheirPasswordResetProfileinrDirectoryandtheAllow
ResetwithoutProfileifVouchedForoptionisnotchecked.
IftheuserisdeniedaccessbasedonmyPasswordAccessRoles,theywillbepresentedwith
anaccessdenieddialogueandwillnotbeallowedtoproceed.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
44/64
N a m e s c a p e | m y P a s s w o r d
4 6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
IftheuserhasnotfilledintheirPasswordResetProfile,andtheVouchingoptionisnotenabled
forusersthathavenoprofile,theerrormessagebelowisshown:
Voucher Pages
Afterprovidingtheirlogonname,avoucherisrequiredifeitherofthefollowingtwoconditions
exist:
1)
TheuserdoesnothaveaPasswordResetProfile,andavoucherisallowedasan
alternatemeansofvalidatingtheuser’sidentity.
2) TheuserhasaPasswordResetProfile,andavoucherisrequiredasanadditional
meansofvalidatingtheuser’sidentity.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
45/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 47 | P a g e
IftheuserhasnoPasswordResetProfile,andavoucherisrequired,theuserwillseethe
screenbelow:
Themessagefield(‘Youarevouchingfor:username)canbemodifiedbyeditingtheassigned
headerfileassociatedwithavoucherrule.Forexample,ifyouhadarulethatrequiredauser’s
managertovouchforthem,thatrulemightalsospecifyaheadermessagesuchas‘AManager
mustvouchforyoubeforeyourpasswordcanbereset’.
Eachvoucherrulemayalsospecifytherolesofthosewhoareallowedtovouchforagivenuser.If
thevoucherisnotauthorizedforthegivenuser,thefollowingscreenappears:
-
8/17/2019 MyPassword Administrator's Guide Enterprise
46/64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
47/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 49 | P a g e
Reset Password Page
AfterallPasswordResetProfilequestionshavebeenansweredcorrectlyand/ortheuserhas
beensuccessfullyvouchedfor,theuserwillbeallowedtoresettheirpassword.Theusercan
begiventheoptiontoeithermanuallyenteranewpassword,orgenerateapasswordautomatically.Additionalconfigurationoptionsmayallowonlyageneratedpasswordand/or
forcetheusertochangetheirpasswordatnextlogon.
Asapasswordisentered,thepasswordstrengthmeterwilldisplayWeak, Average, Strongor
Excellent,dependingonthecomplexityofthepassword.Ifyouwouldliketoautomatically
createarandompasswordinsteadofmanuallyenteringone,selecttheGenerate option.Each
timetheGeneratebuttonisclicked,anewpasswordwillbegenerated.
Onceanappropriatepasswordhasbeenentered,clicktheSubmitbuttontoacceptthenew
password.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
48/64
N a m e s c a p e | m y P a s s w o r d
5 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Unlock my AccountWhenauserselectsUnlock my Account,orotherwiselandsontheAccountUnlockpage,they
arepresentedwiththesamesetofpagesthatappearwhentheyselecttheReset my
Passwordoption.ThesepagesincludeLogon,Vouch(ifapplicable),oraQuestion/Answerprofile(ifapplicable).However,onceauserisauthenticated,theywillbeshownthefollowing
AccountUnlockpageratherthantheResetPasswordPage.
Forsecurityreasons,thelockedstatuswillnotbepresenteduntiltheaccounthasbeen
authenticatedbyeitheransweringtheassociatedprofilequestionsorvouchedforbyan
authorizeduser.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
49/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 51 | P a g e
Change my PasswordWhenauserselectsChange my PasswordorotherwiselandsonthePasswordChangepage,
theyarefirstpresentedwiththeLogonpage.Onthispage,usersentertheirWindows
credentialsinordertochangetheirexistingpassword.
Becausetheusermustprovidevalidcredentialstochangetheirpassword,vouchingisnot
availableonthispage.ConfiguredmyPasswordAccessRoles,however,willstillapplyand
accountsnotauthorizedtousemyPasswordwillbepresentedtheDeniedAccessmessage.
Mandatory Profile Completion on Password Change
IfauserhasnotfilledoutaPasswordResetProfile,theywillbeforcedtodosobefore
proceedingtotheChangePasswordpage.Thisimprovedflowguaranteesaprofileiscreated
foruserswhodonothaveaccesstoacomputerwheretheprofilevalidatorisinstalled,and
simplifiestheonboardingprocesswhenfillingoutapasswordprofileisdesired.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
50/64
N a m e s c a p e | m y P a s s w o r d
5 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Edit my ProfileWhenauserselectsEdit my ProfileorotherwiselandsontheEditProfilepage,theyarefirst
presentedwiththeLogon page.Onthispage,usersarerequiredtoentertheirWindows
credentialsinordertoedittheirpasswordprofile.
Onceauthenticated,theuserwillbepresentedwithalistofquestions,asrequiredbytheassigned
PasswordProfilePolicy.Asingle,globalPasswordProfilePolicymaybeconfiguredforallusers,or
multiplePasswordProfilePolicyRulesmaybecreatedintheNamescapeDesignerandassigned
todifferentgroupsofusersasdesired.
Afteranswershavebeenprovidedandanycustomquestionsdefined,clickSubmit tocreatethe
PasswordResetProfileandreturntothemainmenu.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
51/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 53 | P a g e
Enforcing Enrollment
InadditiontoforcingenrollmentintheChange my PasswordfeatureofmyPassword,thereareanumberofothermethodsavailablethatmaybeusedtopromptausertocreateaPasswordReset
Profile.
On rDirectory accessByusingtheintegratedEnforceProfileValidationfeatureswithinrDirectory,userscanbe
requiredtofillintheirPasswordResetProfilewhentheyaccesstherDirectorysite.Thisfeature
mayalsoenforcedatavalidationrulesforotherattributes,includingthosewithmalformedor
otherwiseincorrectdata.
FormoredetailsontheEnforceProfileValidationfeature,pleaseseetherDirectoryonlinehelp.
On Logon with ProfileValidator.exeTheProfileValidator.exetoolisdesignedtoexecuteautomaticallyduringlogonandrequest,or
optionallyrequire,theusercompleteorcorrectdataintheirPasswordResetProfile.
IfonlymyPasswordisinstalled,theProfileValidator.exewillcheckforanemptyPasswordReset
Profileandrequirethatitbecompletedatlogon.
IfrDirectoryisinstalledandlicensedinadditiontomyPassword,theProfileValidator.execanbe
configuredtoleveragetheEnforceProfileValidationfeatureandrequiretheusertocertifyor
validatevirtuallyanyattributeassociatedwiththeirActiveDirectoryaccount.SeeInstallation and Setup myPassword Optional Features.pdfinthedocumentationfolder
fordetailsconfiguringanddeployingthistoolviaGPOpolicies.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
52/64
N a m e s c a p e | m y P a s s w o r d
5 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
-
8/17/2019 MyPassword Administrator's Guide Enterprise
53/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 55 | P a g e
Appendix A: Customizing myPassword
CustomizingmyPasswordhaschangedsignificantlyfrompreviousversionsoftheproduct.The2.x
and3.xversionsofmyPasswordalloweddirectaccesstotheunderlyingHTML.In4.xversionsof
theproduct,thisisnolongerpossibleasallcontentisdynamicallygenerated.Thismeanscertain
customizationoptionsavailablepreviouslymaynotbepossiblewithouttheassistanceof
NamescapeProfessionalServices.
NOTE: myPasswordcustomization/trainingisnotincludedaspartofthestandardproductsupport
package.ProfessionalServicesareavailableforpurchaseifadditionalassistancebeyond
thisdocumentationisrequired.
Client CustomizationAlimitednumberofstyleswithinmyPasswordarecustomizablebyanadministratorthroughthe
NamescapeDesigner,orbymodifyingfilesintheinstallationdirectory.
ThelookofthemyPasswordclientisbasedonthecurrentlydefinedtheme,locatedinthe
\myPassword\App_Themesdirectory.Eachselectablethemewillhaveacontentssubfolder
containingitsownuniquesetoffilesandimages.
ThemyPassword.css fileineachthemefolderdefinesmajorCSSclasseswhichcontrolstyles
suchasbackgroundcolor,font,andelementsofthemainmenupage.Inmostcases,selectingan
existingthemeintheNamescapeDesignerandthenmodifyingthemyPassword.cssfileshould
achievethedesiredeffect.
NOTE: ThemyPassword-all.css fileisaminifiedversionofallstylesnecessaryforthebase
componentsoftheapplication.EditingthisCSSfileisnotrecommended,andisnot
supportedbyNamescape.
IftheonlycustomizationdesiredisreplacingthemyPasswordlogowithyourownbrandedlogo,
simplyrenameyourcustompngimagetomyPassword.png andreplacetheexisting
myPassword.png fileintherootofthemyPasswordwebsitedirectory.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
54/64
N a m e s c a p e | m y P a s s w o r d
5 6 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Themes
ThemajorityoftheCSSthatcontrolsthelookandfeelofmyPasswordispartofapredefined
theme.ThecurrentlyselectedthemecanbechangedintheNamescapeDesignerunder
myPassword|General|Appearance.Changingathemewillalterthecolorsofallelementswithin
theclient,butwillnotaffecttextorthelogographic.
NOTE: Ifyouareunabletoachieveadesiredlookwiththeoptionsprovided,Namescape
ProfessionalServicesareavailableforpurchasetoassistyouwithcreatingacustomtheme
tofityourneeds.
Use Classic Dialogue Style
Inadditiontoselectingatheme,youalsohavetheoptiontomakedialogueboxesappearsimilarto
thoseinpreviousversionsoftheproduct.Byenablingthissetting,thedialogueboxeswillappear
withathinnerborderandhavesquaredcorners,ratherthanrounded.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
55/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 57 | P a g e
Adding a myPassword link to the Outlook Web Access
Logon Page
NOTE: CustomizingtheOutlookWebAccess(OWA)LogonScreenmayrequireadvanced
customizationtechniquesnotincludedinthisdocument.ProfessionalServicesare
availableforpurchaseifadditionalassistancebeyondthisdocumentationisrequired.
TheproceduresincludedinthisdocumenthavebeenconfirmedtoworkwithOutlook2003
andOutlook2007.
Bydefault,theOutlookWebAccesslogonscreenshouldlooksimilartothepicturebelow:
-
8/17/2019 MyPassword Administrator's Guide Enterprise
56/64
-
8/17/2019 MyPassword Administrator's Guide Enterprise
57/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 59 | P a g e
For Outlook Web Access 2003:
Replacethe[myPasswordURL]withtheURLofyourmyPasswordwebsiteandreplacethesection
[OWAURL]withtheURLofyourOWAwebsite.
Example:
Replace:With:
NOTE: Theabovechangeadds3rowstotheHTMLtableandputsthemyPasswordlinkin
themiddlerowinthecenter.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
58/64
N a m e s c a p e | m y P a s s w o r d
6 0 | P a g e A d m i n i s t r a t o r ’ s G u i d e
For Outlook Web Access 2007
Highlightthe,andinthefile,asshownbelowinthefirstfigure.Thisisright
belowandrightaboveofthelogon.aspxfile.
Replacethehighlightedsectionwiththis:
Forgotyour
password?ClickheretoresetusingmyPassword.
4. Oncetheversionappropriatechangeshavebeenmade,savethefileandtestbyreloading
theOutlookWebAccesssite.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
59/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 61 | P a g e
YoushouldnowseeanewmyPasswordlinkdisplayedbelowthepasswordentryfieldonthe
logonpage.Itwilllooksimilartothis:
OWA 2003
OWA 2007
-
8/17/2019 MyPassword Administrator's Guide Enterprise
60/64
N a m e s c a p e | m y P a s s w o r d
6 2 | P a g e A d m i n i s t r a t o r ’ s G u i d e
Redirecting the IWA failed logon page to the myPassword
siteThissectionofthedocumentdescribeshowtoredirectuserstothemainmyPasswordsiteinthe
eventofafailedlogonfromanywebsiteusingIntegratedWindowsAuthentication(IWA),including
SharePoint.
1.
UsingNotepad,editthe401-1.htmfile,bydefaultfoundunder:
C:\Inetpub\custerr\en-US\
2. FindthefollowingsectionofHTMLmarkup:
Youarenotauthorizedtoviewthispage
Youdonothavepermissiontoviewthisdirectoryorpageusingthecredentialsthatyousupplied.
Pleasetrythefollowing:
3.
Modifytheelementtoincludeonload="redirect()">
onload="redirect()">
Youarenotauthorizedtoviewthispage
Youdonothavepermissiontoviewthisdirectoryorpageusingthecredentialsthatyousupplied.
Pleasetrythefollowing:
4. NowfindthefollowingsectionofHTMLmarkupatthebottomofthefile:
-
8/17/2019 MyPassword Administrator's Guide Enterprise
61/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 63 | P a g e
GotoMicrosoftProductSupport
ServicesandperformatitlesearchforthewordsHTTPand401.
OpenIISHelp,whichisaccessibleinIISManager(inetmgr),
andsearchfortopicstitledAuthentication,AccessControl,andAboutCustomErrorMessages.
5.
Insertthefollowinglinesrightafterandbefore
functionredirect(){
window.location="http://mp1";
}
Itshouldreadasfollows:
function redirect (){
window.location = "http://mp1;}
Where‘http://mp1’isreplacedwiththeURLofyourmyPasswordwebsite.
Example:
Replace:
window.location = "http://mp1";
With:
window.location = "http://[myPassword URL]";
6.
Savethefileandtest.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
62/64
N a m e s c a p e | m y P a s s w o r d
6 4 | P a g e A d m i n i s t r a t o r ’ s G u i d e
How to change the language in myPassword
NOTE: ThissectiondescribeshowtomanuallyconfigurethelanguagesupportinmyPassword.
TheproductshipswithGerman,SpanishandFrenchalreadytranslated.Forthose
languages,simplychangeyourbrowserlanguagesetting.
Inadditiontotheincludedlanguages,myPasswordmaybeconfiguredtodisplayanyothercustom
languagedesired.Namescapeisnotresponsiblefortranslationerrorsresultingfromthefollowing
procedure.
Setting up the directory infrastructure
Theexamplewewillusewilldemonstratehowtocreateasub-folderstructurefortheItalian
language.
1.
LocatetheResourcesfolder,locatedbydefaultat:
C:\inetpub\wwwroot\rDirectory\myPassword\Resources
2. Createanewfolderunderthe\Resourcesfoldernamed‘it’forItalian
3. Openthe\en-usfolderunder\Resourcesandcopyallthefoldersandfilestothenew\it
folder.
4. CopytheDefaultResource.xmlfromthe\Resourcesfolderandpasteitinthenew\itfolder
5. RenametheDefaultResource.xmlinthe\itdirectorytoResource.xml
6. Inthe\itfolder,opentheresource.xmlandchangetheitemkeyvaluethatcorresponds
withtheobjectthatyouwanttodisplayinItalian.
NOTE: UseextremecautionwhenmakingchangestotheResource.xmlfile.Ifthisfileismodified
incorrectly,thedesiredchangeswillnottakeeffectandmaycausefurtherproblemsforthe
pagedisplay.NamescapeSupportdoesnotincludeassistingwithcustomizations.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
63/64
N a m e s c a p e | m y P a s s w o r d
A d m i n i s t r a t o r ’ s G u i d e 65 | P a g e
ThefollowingeditswillchangetheProductDescriptiontext:
Before
Self-ServicePasswordManagement
After
Self-Serviceparolad'ordinegestione
7.
RestartIIS
8. Changethelanguageinyourwebbrowserto‘it’forItalian
9. LaunchthemyPasswordwebsite.TheproductdescriptionshouldnowdisplaytheItalian
text.
Bymodifyingthekeyvaluesintheresources.xmlfile,youcanchangeanytextforalanguage
specificpagethatistriggeredbythebrowserdefaultlanguagesettings.
-
8/17/2019 MyPassword Administrator's Guide Enterprise
64/64
N a m e s c a p e | m y P a s s w o r d