Configure Password Self-Service


Adaxes enables users to reset their own passwords and unlock their accounts without any assistance from the Help Desk or IT staff. The user's identity can be verified by answering security questions and/or entering a verification code received via SMS, email or authenticator app like Google Authenticator or Authy.



In this tutorial, you'll learn how to configure and assign policies for Password Self-Service, customize options for resetting passwords from the Windows Logon Screen and Adaxes Web Interface.

Policies

All aspects of the self-password reset process are determined by Password Self-Service policies. A policy defines the methods used to prove the user's identity (security questions and/or verification codes), the number of questions to be answered, which questions are mandatory and which are optional, whether user-defined questions are allowed, account blocking and unlocking options, e-mail notification settings, etc.

The policy-based approach allows you to apply different levels of security to different users and groups. For example, you can enforce strict policies to privileged users, such as administrators and Help Desk operators, and less severe policies to other users. A policy can be assigned to all users within an Active Directory domain, users located in an Organizational Unit, members of groups and Business Units, individual users, etc. If necessary, you can exclude specific users, groups, OUs, and Business Units from the scope of a policy.

If users have no assigned policies, the Self-Service Password Reset feature is not available for them. By default, there are no Password Self-Service Policies defined in Adaxes, so, to allow users to reset their forgotten passwords, you need to create and assign Password Self-Service policies.

To create a policy for password self-service, perform the following steps:

  1. Launch Adaxes Administration Console.
    Expand Adaxes service \ Configuration \ Password Self-Service and select Policies.

  2. In the Password Self-Service Policies section located to the right, click New.

    Follow the instructions in the Create Policy for Password Self-Service wizard.
  3. On the Activity Scope page of the wizard, click Add to assign the new policy to users.


    In the Activity Scope dialog, select the following items:

    • All Objects - select to apply the policy to all users in all AD domains managed by Adaxes.

    • Specific Domain - select to apply the policy to all users within an Active Directory domain.

    • OU or Container - select to apply the policy to the users located under an Organizational Unit or container.

    • Group - select to apply the policy to members of a group.

    • Business Unit - select to apply the policy to members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific users, groups, Organizational Units and Business Units from the policy scope. For example, if you've applied the policy to all users in a domain, but do not want to apply it to members of a certain group, you can exclude the group from the scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.

    • Click OK.

    When done, click OK and then Finish.

  4. If a user falls within the scope of two or more policies, the policy with a higher precedence is applied to the user. To change the precedence of a policy, select it and use the       buttons.

    To view all users a policy applies to, select the policy and click the Show all affected users. To view the policy applied to a user, click Lookup policy for user.

Web Interface

By default, the Password Self-Service component is enabled in the Web Interface for Self-Service only. It means that by default, only the Web Interface for Self-Service can be used to reset forgotten passwords, unlock accounts and enroll for password self-service.

Follow the steps below to enable or disable the Password Self-Service component for a Web Interface and configure the options related to enrolling for Password Self-Service.

  1. Open Adaxes Web Interface Configurator.

    • On a computer, where Web Interface Configurator is installed, open the Start menu.
    • On the Start menu, select Adaxes Web Interface Configurator.


    The permissions to configure the Web Interface are delegated via Security Roles. By default, only Service Administrators have the appropriate rights. To enable other users to configure the Web Interface, grant them the corresponding permissions.

    • In Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.
    • Enter a name for the new Security Role and click Next.
    • On the Permissions page, click the arrow inside the Add button and select Configure Web Interface.
    • Click Next and follow the steps in the wizard.
  2. In the top left corner, select the Web Interface you want to customize.

  3. In the left navigation menu, click Components.

  4. Use the Password Self-Service checkbox to enable or disable the Password Self-Service component.

  5. To periodically prompt users to enroll for password reset, check the Prompt users to enroll for password self-service checkbox and select how often the prompt should appear.

  6. To configure which Password Self-Service options are available in the My Menu drop-down, use corresponding checkboxes under the My Menu checkbox.


    My Menu is located in the top-right corner of the Web Interface.

  7. To allow users to enroll, re-enroll and cancel enrollment for Password Self-Service right from the Home page of the Web Interface, you can enable the Password Self-Service card. The card is not visible when there are no policies for Password Self-Service assigned to the user.

    For details on how to configure the Home page, see Customize the Home Page.

For information on how to configure Adaxes to automatically enroll users for Password Self-Service, see Autoenroll Users for Self-Password Reset.


Windows Logon Screen

To enable users to reset their passwords right from the Windows Logon and Unlock screens, you need to install Adaxes Self-Service Client on each computer where you want the feature to be available.

To install and configure Adaxes Self-Service Client:

  1. Launch Adaxes Administration Console.
    Expand Adaxes service \ Configuration \ Password Self-Service and select Windows Integration.

  2. In the Client Setup section located to the right, click Self-Service Client to download Adaxes Self-Service Client. To download Installation Guide for Adaxes Self-Service Client, click Installation Guide.

    Follow the Installation Guide to install and configure Adaxes Self-Service Client.

You can integrate the Self Password Reset feature with your web sites and applications by adding a link to the Reset Password page of Adaxes Web Interface.

Example:

<a href="http://example.com/Adaxes/SelfService/#/SelfPasswordReset?ReturnUrl=http%3A%2F%2Fwebsite.com">Forgot password?</a>

Use the ReturnUrl parameter to specify the URL to open when the user completes or cancels resetting the password.


Reset Authenticator App

If a mobile authenticator app (Google Authenticator, Okta Verify, Authy, etc.) is used as a verification method for self-service password reset, and a user loses their mobile device or gets a new one, they need to re-activate the app on the new device. This can be done one of three ways:

  • Transfer the activation to the new device by means of the app itself.
  • Use the Change device option.
  • Reset the app activation using the Reset multifactor authentication operation.

Change Device

The Change Device option is available via the Multifactor Authentication card that is enabled by default in the Web Interface for Self-Service.

  1. Open Adaxes Web Interface Configurator.

  2. In the top left corner, select the Web Interface you want to customize.

  3. In the left navigation menu, click Home Page.

  4. Select the Multifactor Authentication checkbox in the Cards section.

  5. Save the changes.

The card is only visible if the logged in user has already activated an authenticator app and the app is used for self-service password reset or is required to sign in to a Web Interface.

Reset Multifactor Authentication

The activation of a mobile authenticator app can also be reset with the help of the Reset multifactor authentication operation that is available both in Administration Console and Web Interface.

The operation is available in the Web Interface only if the logged in user has the permission to execute it and verification via an authenticator app is enabled for password self-service or Web Interface sign in. If necessary, you can disable the Reset multifactor authentication operation in a Web Interface. For details, see Disable operations on AD objects.

To perform the operation, the user must have the Allow reset multifactor authentication permission assigned to them via Security Roles.

  • Launch Adaxes Administration Console.
  • Expand Adaxes service \ Configuration \ Security Roles.
  • Select the Security Role you want to modify.

  • Click Add in the Permissions section located to the right.

  • Select User in the list of object types. In the General permissions list, check the Reset Multifactor Authentication permission in the Allow column.

  • Click OK and then click Save changes.


Open tutorial filtering

Got questions?
Support Questions & Answers