26.5 Password Self-Service

This section provides information on setting up and managing Password Self-Service.

26.5.1 Overview of Password Self-Service

You can reduce help desk costs by setting up self-service so users can recover from forgotten passwords or reset their passwords while viewing the rules you have specified in the password policy.

You manage the policy for Password Self-Service by using one of the following:

Users access the Password Self-Service features by using one of the following:

26.5.2 Prerequisites for Using Password Self-Service

Review the information in Managing Passwords by Using Password Policies and meet the prerequisites in Prerequisite Tasks for Using Password Policies.

Although you can use some Password Self-Service features without deploying Universal Password, we recommend that you prepare your environment and turn on Universal Password so you can use all the features of password policies.

The Novell Client also takes advantage of Password Self-Service features. See “Using Forgotten Password Self-Service” in the Novell Client for Windows Administration Guide.

26.5.3 Managing Forgotten Passwords

The following sections describe how to manage forgotten passwords using iManager.

For information on managing forgotten passwords by using the Identity Manager User Application, see Password Management Configuration in the NetIQ Identity Manager 4.5 Password Management Guide.

Enabling Forgotten Password

To enable users to recover from a forgotten password without contacting the help desk, enable the Forgotten Password feature. As the following figure illustrates, you encounter this option while using the Password Policy Wizard to create a password policy. For more information on the Password Policy Wizard, see To create a challenge set while using the Password Policy Wizard:

Figure 26-6 Enable Forgotten Password

You can also enable Forgotten Password on an existing password policy:

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of the policy.

  3. Click the Forgotten Password tab.

  4. Select Enable Forgotten Password, select or create a challenge set, specify an action, select the Authentication option, then click OK.

Creating or Editing Challenge Sets

A challenge set is a set of questions that a user answers to prove his or her identity, instead of using a password. The challenge set is assigned to a password policy and is used as part of a password policy's method of authentication. Users’ answers to these challenge questions are case insensitive.

You can use challenge sets as part of providing Forgotten Password self-service for users. Requiring a user to answer challenge questions before receiving forgotten password help provides an additional level of security.

When you create a password policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a challenge set and specify that users must answer the challenge set questions before obtaining forgotten password help. You also specify what action takes place to help users after they answer the questions, such as displaying a password hint to the user. These self-service features are available to users through iManager. Your choices are explained in Selecting a Forgotten Password Action.

To create a challenge set:

  1. In iManager, click Passwords > Challenge Sets.

  2. Click New.

  3. Type a name in the Challenge set name field, select a container for the challenge set to be created in, then select or create challenge questions.

    To select a default question in the challenge set, select its check box.

    To edit a question or the number of characters (minimum or maximum) allowed for responses, click the question.

    To create a question and add it to the challenge set, click Add Question.

    User Defined: If you select this option, users can create their own challenge question.

    NMAS stores a user's user-defined questions and responses in eDirectory.

    Required Questions: Questions in this list always appear when a user uses Password Self-Service.

    Random Questions: Questions in this list appear only once as a complete set, when the user sets up Forgotten Password by answering the challenge set questions for the first time. When the user later needs to use Forgotten Password, only a few of the questions are presented for the user to answer. The number of random questions that appear depends on the number that you specify.

  4. Click OK.

To create a challenge set while using the Password Policy Wizard:

  1. In iManager, launch the Wizard by clicking Passwords > Password Polices > New.

  2. In Step 4, click Yes to enable Forgotten Password.

  3. In Step 5, select Require a Challenge Set and then click New challenge set.

    To use an existing challenge set, browse for and select it.

  4. Specify the container you want the challenge set created in. Type a name in the Challenge Set Name field, then click Next.

  5. Select or create required or random challenge questions.

    If you don't want to create new questions, select existing ones.

    To enable users to add their own questions, select User Defined.

    To create a new question:

    1. Click Add Question.

    2. Select Administrator Defines the Question, click Add, specify a language from the drop-down menu, type the question, then click OK.

    3. Select whether the question is required or random.

    4. Specify minimum and maximum characters required, then click OK

  6. Specify the number of random question, then click Next.

  7. Complete the remaining steps in the Password Policy Wizard.

To create a challenge set for an existing password policy:

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of a policy.

  3. Click the Forgotten Password tab.

  4. Select Enable Forgotten Password > Require a Challenge Set.

  5. Browse for and select an existing challenge set or create a new one and then select the new one.

    To create a new one:

    1. Click the Challenge Sets link.

    2. In the Challenge Sets dialog box, click New.

    3. In the Challenge Sets dialog box, name the challenge set, specify a container to create the challenge set in, select or add required or random questions, then specify the number of random questions to ask.

    4. Click OK.

Selecting a Forgotten Password Action

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of the policy.

  3. Click the Forgotten Password tab.

  4. Select the Enable Forgotten Password checkbox.

  5. Select an action.

    • Allow User to Reset Password: After answering the challenge set questions to prove his or her identity, the user is allowed to change to a new password. Because the user has authenticated through answering the challenge questions, the user is allowed to change the password without being required to provide the old password. To use this option, you must require a challenge set, and the user must have previously set up Forgotten Password in the iManager portal by answering the challenge set questions.

    • E-mail Current Password to User: After answering the challenge set questions to prove his or her identity, the user receives the current password in an e-mail. To use this option, you must do the following:

      • Enable Universal Password for the policy. It is found in Configuration Options under Universal Password.

      • Enable the Allow User to Retrieve Password option, found in Configuration Options under Universal Password.

      • Set up e-mail notification as described in Configuring E-Mail Notification for Password Self-Service.

      Also, the user must have previously set up Forgotten Password in iManager by answering the challenge set questions.

    • E-mail Hint to User: The user receives the password hint in an e-mail. To use this option, you must set up e-mail notification as described in Configuring E-Mail Notification for Password Self-Service.

      Also, the user must have previously set up Forgotten Password in iManager by providing a password hint.

    • Show Hint on Page: The user is shown the password hint in the iManager portal. To use this option, the user must have previously set up Forgotten Password in iManager by providing a password hint.

Password Hints

If you specify a Forgotten Password action that requires password hint, the user can enter a hint that is a reminder of the password.

Password Hint

The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hints. Password hints can significantly reduce help desk calls.

For security, password hints are checked to make sure they do not contain the user's actual password. However, a user could still create a password hint that gives too much information about the password.

To increase security when using password hints:

  • Allow access to the nsimHint attribute only on the nds-cluster-config server used for Password Self-Service.

  • Remind users to create password hints that only they would understand. The Password Change Message in the password policy is one way to do that. See Adding a Password Change Message.

Secure Hint

The Secure Hint attribute (nsimPasswordReminder) is more secure because it is not publicly readable. It requires the user to answer challenge questions before the hint is displayed.

The challenge/response requirement is set in the Forgotten Password section of the Password Policy properties.

If you choose not to use a password hint, make sure you don't use it in any of the password policies.

Configuring Forgotten Password Self-Service

Clicking the Forgot your password? link when logging in to the portal (https://www.servername.com/nps by default) does not work for the user unless the following conditions are met:

  • The administrator has set up a password policy with Forgotten Password enabled.

  • The user has set up challenge questions or a password hint, if either of them is specified in the Forgotten Password setting.

Prompting Users to Set Up Forgotten Password

For some Forgotten Password actions, the user must do some setup before using the Forgotten Password self-service. For example, if the password policy specifies that a challenge set is used to allow a user to prove identity, and if the forgotten password action is to e-mail a password hint to the user, the user must first answer challenge-set questions and create a password hint before being able to use Forgotten Password Self-Service.

Users can initiate setting up these features in the portal, or you can require that users set them up by using post-authentication services, which are pages displayed when users log in to the portal.

To prompt users to set up these features at login time, select the Force users to configure Challenge Questions and/or Hint upon authentication option in the Password Policies interface at the bottom of the Forgotten Password page. This is selected by default when you create a policy.

Figure 26-7 Password Policy

To let users set up Forgotten Password at a time of their choice, you need to give them the URL for the portal, such as https://www.my_iManager_server.com/nps.

User Setup for Forgotten Password

There are two ways the user's part of the configuration can be accomplished:

Post-Authentication

The administrator can require the user to set up Forgotten Password features after a successful login by selecting the Forgotten Password option to force the user to configure challenge questions or a hint upon authentication. If this option is selected, but a user does not have questions or a hint set up, Forgotten Password configuration gadgets are displayed to the user the next time he or she logs in through the portal (https://www.servername.com/nps by default). This is called post-authentication setup.

In the Portal

When users log in through the iManager portal, iManager gives them access to the gadgets for setting up or changing challenge sets and password hints for Forgotten Password Self-Service. This is the same place where users can initiate a password change. They can access the following gadgets here:

  • Hint Setup

  • Answer Challenge Questions

  • Change Password (Universal)

The user can initiate changing these at any time. But if a hint or challenge set is not required for the user's password policy, the user cannot set them up. The page displays a message indicating that the options are not accessible.

To see specific examples of how these user options look in each application (iManager 2.02 or later, User Application portlet, and Novell Client), refer to the documentation for each application as outlined in Overview of Password Self-Service.

Requiring Existing Passwords to Comply

If you create or change a password policy, you can require users to change existing passwords that don't comply the next time they log in through the portal.

To do this, set an option in the password policy by using the Universal Password tab under Configuration Options. The option is called Verify whether existing passwords comply with the password policy (verification occurs on login). By default, this option is turned off when you create a new password policy. The following figure illustrates the page where you set this option:

Figure 26-8 Requiring Existing Passwords to Comply

If this option is set, the next time users log in through the portal, their passwords are checked for compliance with the password policy. If the password does not comply, a page similar to the following is displayed, and the user is not allowed to log in without changing the password.

Figure 26-9 Change Password

What Users See When They Forget Passwords

After you have installed the iManager plug-ins that shipped with Identity Manager, the Forgotten Password link shows up in the iManager portal (https://www.servername.com/nps by default), as illustrated in the following figure.

Figure 26-10 Forgotten Password in iManager

A similar link is displayed when authenticating through the Novell Client.

If a user clicks this link, the following page is displayed, asking for the user name:

Figure 26-11 Forgotten Password in Virtual Office and Novell Client

After the user name is entered, the Forgotten Password settings determine what the user sees.

For example, if the administrator specified in the password policy that a challenge set is used, a page similar to the following is displayed. The user must then answer challenge set questions to prove his or her identity.

Figure 26-12 Forgotten Password Challenge Questions

If the Administrator specified that the Forgotten Password action is Show Hint on Page, a page similar to the following is displayed:

Figure 26-13 Forgotten Password Hint

If the Administrator specified that the Forgotten Password action is E-mail Current Password to User or E-mail Hint to User, a message is displayed saying that the password or hint has been e-mailed.

26.5.4 Providing Users with Password Reset Self-Service

You can set up the password policy to allow users to reset their own passwords. How this is exposed to the user depends on which application they use to accomplish this task. See Overview of Password Self-Service for documentation links to the different applications.

26.5.5 Adding a Password Change Message

Although users can change their passwords whenever they choose to, they typically use the same passwords as long as possible. To increase security, you can use a password policy to require them to change it. That policy can contain a Password Change Message and the password rules. Whenever users change a password, they see this message along with the rules.

To edit the password policy and create this message:

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of the password policy you want to add a message to.

  3. Click Policy Summary > Password Change Message.

  4. Type the message you want users to see, then click OK.

26.5.6 Configuring E-Mail Notification for Password Self-Service

The iManager role named Notification Configuration lets you specify the e-mail server and customize the templates for e-mail notifications.

E-mail templates are provided to allow Password Synchronization and Password Self-Service to send automated e-mails to users.

You don't create the templates. Instead, they are provided by the application that uses them. The e-mail templates are Template objects in eDirectory, and they are placed in the Security container, usually found at the root of your tree. Although they are eDirectory objects, you should edit them only through the iManager interface.

This is a modular framework. As new applications are added that use e-mail templates, the templates can be installed along with the applications that use them.

Identity Manager provides templates for Password Synchronization and Forgotten Password notifications. You control whether e-mail messages are sent, based on your choices in the iManager interface.

For Forgotten Password, e-mail notifications are sent only if you choose to use one of the Forgotten Password actions that causes an e-mail to be sent: e-mail password to user or e-mail password hint to user.

The following information is discussed in this section:

Prerequisites

  • Make sure that your eDirectory users have the Internet EMail Address attribute populated.

Setting Up the SMTP Server to Send E-Mail Notification

  1. In iManager, click Passwords > Email Server Options.

  2. Specify the following information:

    • Hostname

    • Name you want to appear in the From field of the e-mail message, such as “Administrator”

    • User name and password for authenticating to the server, if necessary

  3. Click OK.

  4. Customize the e-mail templates as described in Setting Up E-Mail Templates for Notification.

After the e-mail server is set up, e-mail messages can be sent by the applications that use them, if you are using the features that cause messages to be sent.

Setting Up E-Mail Templates for Notification

You can customize these templates with your own text. The name of the template indicates what it is used for. Email templates offer language support.

  1. In iManager, click Passwords > Edit Email Templates. A list of templates appears.

  2. Edit the templates as desired.

    Keep in mind that if you want to add any replacement tags, some additional tasks might be required.

26.5.7 Testing Password Self-Service

To verify that the features are set up correctly, complete the following as part of testing Password Self-Service:

  1. Create a policy with the following characteristics. For information on how to accomplish this, see, Creating or Editing Challenge Sets.

    • Enable Forgotten Password

    • Require Challenge Set

    • Select the option to verify that the challenge response and hint are configured on login

    • Assign the password policy to a container with at least one user you can use to test with. This user is the user who has the e-mail address indicated on the User object in the Internet EMail Address attribute.

  2. Make sure you have another user to test with who does not have a password policy assigned.

  3. To test password self-service, use the Identity Manager User Application. For information on how to do this, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.

    For Windows users, test password self-service using the Novell Client. For information on how to do this, see “Using Forgotten Password Self-Service” in the Novell Client for Windows Administration Guide.

26.5.8 Adding Password Self-Service to Your Company Portal

Most of the procedures in the Password Self-Service section assume that you are using the Password Self-Service features on an iManager 2.0.2 server, which is the last version of iManager to support password self-service. If you have a version of iManager later than 2.0.2, you can only perform password self-service through NetIQ’s User Application. For more information on performing password self-service using NetIQ’s User Application, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.

Refer to the following table for instructions on how Password Self-Service features can be used with portal products, including products other than iManager.

Making Sure Users Have Configured Password Features

When users log in to the iManager portal at https://iManager_server_IP_address/nps, they are prompted to take action through a series of post-authentication pages if conditions such as the following are true:

  • The user password doesn't comply with Advanced Password Rules in the password policy

  • The password policy requires Challenge Questions when using Forgotten Password Self-Service and the user has not configured these questions

  • The password policy is using Forgotten Password with Display Password Hint as the action and the user has not created a hint

For example, these prompts are necessary to make sure that the user can use Forgotten Password Self-Service. If the password policy requires users to answer Challenge Questions and the user has never configured them initially, the user can't access Forgotten Password Self-Service. If the user has not created a password hint, the user can't retrieve it to help in remembering the password.

Because other portal products won't automatically provide the post-authentication features, you need to make sure that users log in to the iManager portal at least once to create compliant passwords and complete password management setup, and then again whenever you make changes to Password Policies.

26.5.9 Troubleshooting Password Self-Service

  • To use Challenge Response questions, make sure that you are using a browser that iManager 2.02 supports.

  • If you don't have SSL set up properly, you won't be able to log in to iManager or the portal. If you can log in successfully to iManager and you are requiring TLS for Simple Bind, SSL is set up properly and you can rule out SSL-related issues when troubleshooting Password Self-Service.