Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • How To Install FIM 2010 R2 Password Reset Extensions

How To Install FIM 2010 R2 Password Reset Extensions

“Can we install the FIM 2010 R2 Add-ins and Extensions on our desktops before we upgrade the rest of the FIM environment?”

While this may be an obvious, self-answering question, I had a client ask me about it recently, and while I was pretty certain of the answer, “No,” I had some time and a virtual environment so I went ahead and tested it.

The first clue that things were going horribly wrong was when I got to this panel in the install process (an example from the “Installing the FIM 2010 R2 Add-ins and Extensions” found here https://technet.microsoft.com/en-us/library/hh322877(v=ws.10).aspx):

Since FIM 2010 does not have an equivalent, I had to make up an entry to be able to proceed to the install panel. This, to me, meant that while users might be able to reset their passwords, they would probably be unable to register for self-service password reset. But I proceeded on with the install as registered users still might be able to reset their passwords.

After installation and a reboot, I first tried to register for password reset using the link on the FIM Portal. Of course, as I suspected, I immediately received the following error, confirming that users would not be able to register for SSPR after the FIM 2010 R2 Password Reset Extensions were installed.

Not inhibited by this failure, I next tried the “Reset My Password” FIM Password Portal page, but received a similar error, confirming that users would not be able to use this portal to reset their password after the FIM 2010 R2 Password Reset Extensions were installed.

This left one last test to conduct to see if a user could still reset their password from the link on the Windows log on screen. I felt this might be the only feature that still would work, as cosmetically it appeared that not much had changed in that process.
I logged off the test Windows 7 desktop I was using, promptly forgot the password, and clicked on the “Reset Password” link.

At first I thought maybe I had been incorrect in my assessment, as the “Authentication Required” panel appeared, and I was asked the appropriate Security Question to be able to reset my password, but that success was short lived. After pressing the Next button I received the following error:

Fearing that I had somehow forgotten the one letter answer I used (Yes, I know, but it’s a test lab environment) I went ahead and reset the answers to the Security Questions on another desktop and tried again.

Receiving the same error message again and again; I suspected it might be related to a description in Anthony Ho’s blog post from December 2011 of how the QA Gate answer validation is now achieved server side, and the answers are transmitted un-hashed over a message-level encrypted WCF channel. Something that is not available in the FIM 2010 SSPR client.

Anyway, I can say now with certainty that the answer to the client’s question, “Can we install the FIM 2010 R2 Add-ins and Extensions on our desktops before we upgrade the rest of FIM environment?”, is “No.”

Maybe you’ll find this useful if you’re facing the same question

Reference Links: