Technical Overview
Components
Specops Password Reset consists of several different components. Below is a brief description of the different parts. The image below is a technical overview of how all the components interact. The different security context and protocols are also described on the image.
Web server
The web server component consists of the web applications that makes up the primary end user interface for the Specops Password Reset product. The web server component contains the following web applications:
- Enrollment, registration for the password reset feature
- Password Reset, self-service password reset and account unlock
- Change Password, password change with detailed instant feedback
- Helpdesk, provides administrators with information during troubleshooting
The web server communicates with the Specops Password Reset Service to perform its tasks. The web server do not have to be installed on the same computer as Specops Password Reset Service.
The web server requires Internet Information Services (IIS) version 6 or later.
Service
The service component is the backend application that serves requests from the web server. The service communicates with Active Directory in order to:
- read and write password reset information for users
- read Group Policy Objects containing password reset settings All operations against Active Directory are performed in the context of the service account that was choosen during setup.
GPMC Snap-in
The GPMC (Group Policy Management Console) snap-in is added to the Group Policy Object Editor. This is where administrators configure password reset settings for a certain Group Policy Object.
This snap-in will appear in any Group Policy you open. Note that the snap-in is in the user part of the Group Policy, the password policies are configured for the users affected by the Group Policy, not the computers.
Client
The client is a small application that has two purposes, informing the end users about enrolling for Password Reset and displaying a link on the logon screen enabling the user to reach the Reset Password web page. The Specops Password Reset client also exists in the notification area, on the start bar, that will be displayed only when needed. The following situations will display the icon.
If a Group Policy has been configured for the user to use the Password Reset service the user will be informed by the client that they need to enroll. Clicking the balloon will open the web page where the user can enroll.- If the administrator has made changes to the Specops Password Reset policy that requires the users to reenroll the balloon will also appear.
- If the user’s password is about to expire the balloon will appear, the user can click the balloon to acces the improved Change Password web page.
Active Directory Users and Computers extension
SPR adds an extension to the ADUC console. If you right-click a user object a new menu item called Specops Password Reset… will appear. Selecting that menu item will take you directly to the Helpdesk web page and detailed information about the user will be shown.
Security
Secret answers
Users secret answers are stored in Active Directory using one-way encryption (SHA-256) and they are also protected against reading through an ACL (access control list). The ACL grants read permissions to the affected user and full control permissions to SYSTEM, Domain Admins and the Specops Password Reset service account.
Network traffic
SSL (Secure Sockets Layer)
All communication between the client and the web server is protected using SSL encryption.
Remoting
All communication between the web server and the service is protected using encrypted .NET remoting.
LDAP
All communication between the service and Active Directory is protected by Kerberos encrypted LDAP traffic.
Scripting support
SPR is fully scriptable. All administrative tasks done through the user interface can be accomplished through .NET programming or PowerShell scripting
Page last modified on April 28, 2009, at 05:02 PM