Password Reset for Remote Users

(1)

Password Reset for Remote

Users

Courion provides a component for the PasswordCourier

®

Password Provisioning

System that manages the local password cache in conjunction with self-service

password reset activities. The solution provides a seamless experience for the

end user, whether they are a user who is connected to the corporate network or

a remote user.

(2)

Table of Figures

FIGURE 1–UPDATING THE LOCAL PASSWORD CACHE... 4

FIGURE 2-KIOSK ACCOUNT ... 6

FIGURE 3-PROFILELIST REGISTRY KEY ... 6

FIGURE 4-KIOSK ACCOUNT PROFILE INFORMATION ... 7

FIGURE 5-CHANGE THE SHELL ... 7

1. Introduction

Courion provides a component for the PasswordCourier®_{Password Provisioning System that manages the local} password cache in conjunction with self-service password reset activities. The solution provides a seamless experience for the end user, whether they are a user who is connected to the corporate network or a remote user. The local desktop password cache in Microsoft Windows®_{is used to streamline the logon process and use of} credentials on the desktop. For a smooth end user experience, interaction with the local password cache must be considered when deploying PasswordCourier. The most seamless end user experiences with password

management incorporate elements that manage the local password cache.

Several password reset deployment scenarios with local cache considerations are discussed in this document.

(3)

2. Local Password Cache

The local password cache in Windows simplifies the end user experience for network access and network logon. The cache itself resides on each Windows system where users logon interactively. By default the last 10 logons are cached and stored in a protected area of the Windows registry and in process memory.

The Windows operating system manages the local password cache. For example:  an interactive logon adds a cache entry

 an end user password change initiated with ctrl-alt-del updates the password cache.

2.1 Accessing Network Resources

When access to a network resource is requested by a user, the credentials (username and password pair) are retrieved from the cache (if they are stored) and provided to the resource. This removes the need to interactively prompt the user for their credentials each time a network resource is requested.

2.2 Logon When Domain is Unavailable (Remote User)

Users may be authenticated against the cached credentials rather than the Windows domain. This is most useful when the user is remote and network connectivity has not been established to the domain or when the domain is unavailable. Logon verifies the username/password pair against the cached credentials, logs the user on, and grants them access to the Windows Desktop for their domain account.

3. Deployment Challenges

PasswordCourier administrators must consider how password management operations interact with the local password cache in a deployment.

3.1 Web-Based Self-Service Change

Password changes initiated with the PasswordCourier Web Access Option need to interact with the local password cache when the Windows account is logged on. Without the proper management of the cache, old credentials that are resident in the cache are presented when a network resource is accessed. Because the credentials are old (invalid), authentication fails, and the account may become locked out with repeated access attempts. For example:

 Chris Smith is logged into the domain CORPDOMAIN using account csmith with password abcd1234  Chris initiates a synchronized password change in PasswordCourier using the web access option:

o Chris changes the password for CORPDOMAIN\csmith to wxyz7890.  The password change for CORPDOMAIN (and other targets) succeeds.  At this point the domain password and the cache password are out of sync:

o The password in CORPDOMAIN is wxzy7890

o The password in the desktop local cache is abcd1234.  Chris launches Microsoft Outlook®:

(4)

3.2 Remote User Self-Service Reset

Remote users typically logon and authenticate against credentials in the local password cache to gain access to their desktop. Then they establish VPN connectivity to the domain and network resources. In this scenario, the Windows domain is not available prior to logon. If the user forgets the password (as stored in the local password cache), they cannot logon and cannot get to a desktop. Hence they cannot access an automated solution. They have a few options:

 The user may logon using a different local account

 The user may logon with a different domain account that is cached

 The user may wait until the system is connected directly to the corporate network (may work for laptops but not for remote offices)

 Self-service reset may be initiated on the telephone. But telephone-based solutions reset the password in the Windows domain, but do not update the password stored in the local cache.

4. How Does It Work

Courion provides an ActiveX control (CourLocalControl) that manages the local password cache during a password reset action. The control is incorporated into the Web Access Option for PasswordCourier. After a successful reset, the CourLocalControl is loaded in the web browser that is running on the user’s desktop. The control uses a

Windows API call to communicate with the Windows domain where the reset occurred and update the local password cache.

NOTE: the CourLocalControl requires network connectivity to the Windows domain controller, whether through a VPN connection or through a hard wired connection. Also, the web browser security settings must allow the CourLocalControl (ActiveX) to execute.

The following scenario illustrates the use of the Web Access Option.

(5)

5. Deploying PasswordCourier

5.1 Web-Based Self-Service Change

This scenario is easily solved. As described in the previous section, the CourLocalControl is used with the

PasswordCourier Web Access Option to update the local credential cache on the desktop where the web browser is running.

 The user is already logged on.

 A successful web-based reset is executed on the Windows domain account.

 CourLocalControl updates the cache on the desktop where the browser is running, for the domain account.  The user continues their day-to-day activities without interruption of service.

5.2 Remote User Self-Service Reset

Remote users in need of a local cache reset face a unique challenge: they do not have access to the Windows domain controller. A kiosk approach is used to address this problem.

 Log in with a local account (kiosk account) that has limited access.

 Network connectivity to the domain controller is established (required by the CourLocalControl).  The Internet Explorer browser is started in kiosk mode and launches PasswordCourier.

 CourLocalControl is used in the same fashion to update the local password cache.

5.2.1 Desktop Deployment Steps

Configuration steps are needed on each system that supports password reset for remote, disconnected users. Successful adoption requires that employees be aware of the solution and trained on how to use it. This is discussed further in the next section of this document.

1. Create a local account on the desktop system with limited privileges (least privilege).

2. Set the properties on the account so the user cannot change the password and the password should not expire. Your security policy determines whether a password is required.

(6)

Figure 2 - Kiosk Account 3. Determine the security identifier (SID) of the kiosk account.

o Login as the kiosk user, in this example courionreset. o Use the registry editor to find the SID of the kiosk account.

o View HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

Figure 3 - ProfileList Registry Key

(7)

Figure 4 - Kiosk Account Profile Information

5. Configure the kiosk account to launch a web browser in kiosk mode immediately after successful logon, making only the PasswordCourier web pages available.

o Use the registry editor to open the SID for the kiosk account under HKEY_USERS.

HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

o Create a new string value under the SID named Shell.

o Add a value for Shell that starts Internet Explorer in kiosk mode and loads an initial web page for PasswordCourier.

“C:\Program Files\Internet Explorer\iexplore.exe” –k https://<<url>>

NOTE: double quotes are required because of spaces in the pathname.

Figure 5 - Change the Shell

6. Define a login script that establishes network connectivity to the domain controller. Typically it will create a VPN connection.

7. Verify that execution of the CourLocalControl ActiveX control is allowed. 8. Test the kiosk account with PasswordCourier.

5.2.2 Remote User Experience

The remote user community must be trained to follow these steps to initiate a reset of their cached password. In this scenario, Chris Smith (our employee) is traveling with a laptop and has forgotten the cached password. Chris is connected to the Internet connection in a hotel.

(8)

3. Chris could initiate a reset over the telephone, but this reset does not update the cache on the laptop in the hotel room (i.e., no connectivity to corporate resources).

4. Chris logs in with a local account named MYLAPTOP\reset. No password is needed. a. The account logs in.

b. A script is run to silently establish a VPN connection.

c. The browser is launched, pointing to the PasswordCourier web pages. 5. Chris authenticates and selects the corporate domain, CORPDOMAIN for reset.

6. Upon a successful reset, the CourLocalControl is downloaded and updates the laptop’s local password cache with the new password.

7. Chris uses ctrl-alt-del to logout

a. An alternate approach automatically logs out after the reset status is shown in PasswordCourier. 8. Chris logs in again with CORPDOMAIN\csmith and the new password.

a. Login is successful because the cache has been updated.

9. Chris proceeds with the normal activities such as launching the VPN, starting Outlook and accessing network drives.

5.3 Distribution Method

Windows XP

Users will require "Enable Automatic prompting for ActiveX controls" to be set in the security options for Internet Explorer to download the control. If this is not enabled, the download message bar from Microsoft forces a page refresh to download the control.

Recommended distribution methods:

1. Distribute the control via Active Directory policy.

2. Distribute the control with Direct!®_{via a silent installation.} A script which distributes the control must contain the following:

 copy CourLocalControl.dll to system32  copy CourLocalMsg.dll to system32  regsvr32 /s CourLocalControl.dll Windows 2000

Users require 'act as part of the OS' Group Policy settings.

6. Training and Adoption

Successful adoption of an automated solution requires that employees be aware of the solution and trained on how to use it. It is not sufficient to deploy the solution. The most benefit and ROI is achieved when the solution is widely used and expensive calls to the support center are avoided.

Courion’s Self-Service Attainment (SSA) Program provides a comprehensive set of guidelines, concrete actions and professional support to accelerate end user adoption of your self service applications. Typically SSA (promotion, education and training) targets both the users of the self-service solution and the support staff employees who

(9)

Trademarks

Courion®, the Courion logo, AccountCourier®, CertificateCourier®, PasswordCourier®, and ProfileCourier® are all registered trademarks of Courion Corporation. Enterprise Provisioning Suite™, AuditLink™, DIRECT!®,

ComplianceCourier™, Dynamic Community™, the ez Install logo, IdentityLInk™, IdentityMap™, Policy Publisher™, PolicyLink™, AssetLink™, and ServiceLink™ are trademarks of Courion Corporation.

Microsoft Corporation®, Microsoft Windows® 98, 2000, Microsoft Windows NT®, Microsoft® Excel, Microsoft® Access, Microsoft® Internet Explorer, and SQL Server® are either registered trademarks or trademarks of Microsoft Corporation® in the United States and/or other countries. Microsoft is a U.S. registered trademark of Microsoft Corp. All other products and companies mentioned in this document may be the trademarks of their associated

organizations.

ABOUT COURION

Courion’s award-winning Access Assurance solutions are used by more than 450 organizations and over 12 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at www.courion.com, our blog at http://blog.courion.com/, or on Twitter at http://twitter.com/Courion.

Password Reset for Remote Users