Delegated Helpdesk Configuration

By default the Helpdesk web application uses the trusted subsystem model, but it can also be configured to apply a delegated security model. Both security models are described below.

Trusted subsystem model

When accessing the Helpdesk all operations are normally performed in the context of the configured Specops Password Reset (SPR) service account (aka trusted subsystem model). Access to the Helpdesk is allowed through membership of the local group “Specops Password Helpdesk Admins” on the SPR Server. Users allowed to access the Helpdesk can reset the password for any user within the configured management level.

Delegated security model

When the Helpdesk is configured to use the delegated security model, all password reset operations are performed in the security context of user accessing the web page. This is particularly useful in environments where the ability to reset passwords already has been delegated to dedicated Helpdesk personnel.

Note!
This feature was introduced in version 3.2. To take advantage of this new feature, both Specops Password Reset Web and Specops Password Reset Server must be upgraded to version 3.2.

Follow the steps below to successfully configure the Helpdesk to use the delegated security model.

Step 1: Add Helpdesk personnel to the Specops Password Helpdesk Admins group

For Helpdesk personnel to be able to access the Helpdesk web page they must be members of the local group “Specops Password Helpdesk Admins” on the SPR Server.

  1. Open Computer Management. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.
  2. In the console tree, click Groups (Computer Management/System Tools/Local Users and Groups/Groups)
  3. Right-click the Specops Password Helpdesk Admins and click Properties.
  4. To add a member to a group, click Add. In Enter the object names to select, type the name of the user or group that you want to add to the group, and then click OK.

Step 2: Configure the SPR Web server computer account to be trusted for delegation

The SPR Web server computer account must be configured as trusted for delegation in Active Directory, to be able to flow the the impersonated user’s security context from the SPR Web server to the SPR server.

To configure a computer account so that it is trusted for delegation, follow these steps:

  1. Open Active Directory Users and Computers. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  2. Find the computer account that you want to configure, and then click Properties.
  3. Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.
Note! The SPR Web server must be restarted for changes to take affect.

Step 3: Set up a SPN for the SPR service account

To make it possible for the SPR service account to access network resources (like Active Directory) using the original caller’s security context, the SPR service account must be configured with a SPN (Service Principal Name).

To do this, type the following commands:
SETSPN.EXE -A TCP/SPR_server_FQDN SPR_service_account
SETSPN.EXE -A TCP/SPR_server_NetBIOS_name SPR_service_account

For example, type the following, and then press ENTER:
SETSPN.EXE -A TCP/server01.acme.local ACME\sprsvcacc
SETSPN.EXE -A TCP/server01 ACME\sprsvcacc

To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en  

Note! To perform the tasks that are described in the following sections, you must have membership in Domain Admins, Enterprise Admins, or you must have been delegated the appropriate authority.

Step 4: Configure the SPR service account to be trusted for delegation

To enable the SPR Server service to reset passwords using the impersonated user’s security context, the SPR service account must be configured as trusted for delegation in Active Directory.

To configure a user account so that it is trusted for delegation, follow these steps:

  1. Open Active Directory Users and Computers. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  2. Find the user account that you want to configure, and then click Properties.
  3. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.
Note! Verify that the account option “Account is sensitive and cannot be delegated” is not checked for the service account.

Step 5: Configure the SPR Server component to use delegated security

To activate the delegated security model feature for the SPR Server component, use Registry Editor to modify the following registry entry found in the key HKLM\SOFTWARE\Specopssoft\Specops Password Reset\Server.

Value

Type

Value data
UseDelegatedHelpdeskSecurity REG_DWORD Set to 1 to enable delegated security for Helpdesk (default is 0)


 

Note! The Specops Password Reset Server service must be restarted for changes to take affect.

Step 6: Configure the SPR Web component to use delegated security

To activate the delegated security model feature for the SPR Webcomponent, use Registry Editor to modify the following registry entry found in the key HKLM\SOFTWARE\Specopssoft\Specops Password Reset\Web.

Value

Type

Value data
ServicePrincipalName REG_SZ The UPN of the SPR service account


 

Note! Internet Information Services (IIS) need to be restared for changes to take affect. There are two ways to restart IIS, either using IIS Manager or the IISReset command-line utility.

Step 7: Allow Users to write events to the Application log on the SPR Server

Because the SPR Server service write entries to the Application log when impersonating the caller, the local Users group must be granted write permissions to the Application event log.

Use Registry Editor to create the following registry entry in the key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\CustomSD (REG_SZ). Set the value to:

Value

Type

Value data
CustomSD REG_SZ O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;BU)


Step 8 (optional): Grant Helpdesk personnel read permissions to fine-grained password policies

If fine-grained password policies (FGPP) are used in the domain you need to grant Helpdesk personnel read permission to these.

Use the DSACLS.EXE command line utility to grant permissions. Run the following command on a domain controller:
DSACLS “CN=Password Settings Container,CN=System,<Domain DN>” /I:S /G <group>:RP;;msDS-PasswordSettings

For example, type the following, and then press ENTER:
DSACLS “CN=Password Settings Container,CN=System,DC=acme,DC=local” /I:S /G “ACME\Domain NA Helpdesk”:RP;;msDS-PasswordSettings
This command will grant the group “Domain Helpdesk” read permissions to fine-grained password policies.

Page last modified on May 21, 2009, at 03:22 PM