Installation

The content below is intended for IT administrators and will guide you through the process of installing Specops Password Reset.

Key Components


Alt text for this image

Specops Password Reset consists of the following components and does not require any additional servers or resources in your environment. The architectural overview above shows the communication between the components in a typical installation. Note that the Password Reset Server and Password Reset Web components are typically installed on the same server inside the network.

Server: Manages all operations against Active Directory, such as changing/resetting passwords, and responds to requests from the Specops Password Web application.

Administration Tools: Used to configure the central aspects of the solution and enable the creation of Specops Password Reset settings in Group Policy Objects.

Web: Displays the end user interface of the product and communicates with the Specops Password Reset server to verify user input.

Specops Authentication Client (formerly known as the Specops Password Client): The Specops Authentication Client presents a link to the Specops Password Reset Web application on the Windows logon screen, and presents end user notifications about enrollment requirements.

Requirements


Your organization’s environment must meet the following system requirements:

Requirements
Component Requirement
Server
  • Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • Windows Identity Foundation installed
Administration Tools
  • Windows Server 2016/2019/2022
  • Active Directory and Computers snap-in
  • Group Policy Management Console (GPMC)
  • .Net Framework 4.7.2 or later
Web
  • Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • IIS installed
  • Trusted SSL certificate for all names the web application will be presented as
Specops Client
  • Windows 10 x64, Windows 11 x64 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • For password resets with uReset 8 and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed.

Installing Specops Password Reset


During installation, Specops Password Reset will launch the Setup Assistant. The Setup Assistant will help you install the following components for Specops Password Reset:

  • Server
  • Administrations Tools
  • Web
  • Specops Client
  1. Download the Setup Assistant.
  2. Save and Run the Setup Assistant on your server.
    NOTE
    By default the file is extracted to C:\temp\SpecopsPasswordReset_Setup_[VersionNumber]
  3. Double-click SpecopsPasswordReset.Setup.exe to launch the Setup Assistant.
  4. To begin, click Start Installation in the Specops Setup Assistant dialog box, and Accept the End User License Agreement.

Installing the Specops Password Reset Server

The Specops Password Reset Server performs operations against Active Directory and responds to requests from the Specops Password Web application.

  1. From the Setup Assistant, select Server.
  2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
  3. Verify that you are running a valid operating system.
  4. Windows Identity Foundation is installed.
  5. Verify that the account being used to run the Setup Assistant has local administrative permissions.
  6. Click Select user.
  7. Enter the Username and Password of the user account the service will run as, and click OK.
    NOTE
    All operations performed by the Specops Password Reset Server component will be performed in the context of the service account selected here.
  8. Click Select to identify the management level where the Active Directory permissions are created. This is also used to track license usage.
  9. Click Select and click Create Self-signed Certificate. The self-signed certificate will be used to secure calls to the Specops Password Reset service.
    NOTE
    From the Microsoft Management Console, rename the self-signed certificate with a friendly name so it can be easily identified during an upgrade: Certificates > Personal > right-click and select Properties > populate the Friendly name field, and click OK.
  10. Click Configure to configure the administrator notifications used to send email to the administrator with notifications regarding the Specops Password Reset License.
  11. In the Email Settings field, enter the SMTP Server Name.
  12. Enter the SMTP Username and SMTP Password.
    NOTE
    If no credentials are specified, the server will authenticate as the service account it is running as.
  13. Click OK.
  14. Click Configure to configure the settings for the mobile verification message. This will generate an SMS verification code that will be used to authenticate users who request password resets through the helpdesk.
  15. In the From email text field, enter the email address that will be used to send the validation message.
  16. Configure the To email, Subject, and Body settings according to the specifications of your SMS provider.
  17. From the Insert placeholder code drop box you can select the information that will be different for each user.
  18. Click OK.
  19. Click Install.

Installing the Specops Password Reset Web

The Specops Password Reset web component presents the end user interface of the product and communicates with the Specops Password Reset server to verify user input. During installation, you will be given the option to include the Specops Password Reset Web Service (Mobile Access). The Mobile Access component is used to enable the Specops Password Reset mobile device application to connect to the Specops Password Reset Server. The Specops Password Web installation will also install the Specops Password Reset Web Customization tool which can be used to manage language translations and graphical branding of the website.

  1. From the Setup Assistant, select Web.
  2. Verify that you have fulfilled the prerequisites. If you do not meet the pre-requisites you may need to do the following:
  3. Verify that you are running a valid operating system.
  4. Verify that the account being used to run the Setup Assistant has local administrative permissions.
  5. Verify that IIS is installed.
  6. Configure IIS for Specops Password Reset.
  7. Click Select to select which Specops Password Reset Server service you want the web component to connect to.
  8. Enter the name of the server and click OK.
  9. Click Select to identify the website where the Specops Password Reset Web will be installed.
    NOTE
    • If there is more than one website running on your IIS you may select which one you wish to use for the Specops Password Reset Web Component.
    • If the Web component is installed on a server in the internal network, and you want to direct your internal password clients to use the web server you are installing, the Update the Service Connect Point information during installation should remain checked.
  10. Click OK.
  11. Click Select to select the certificate you wish to use for the SSL encryption, and click OK.
  12. Click Install.
    NOTE
    The Specops Password Reset Web Setup Wizard will appear. The Wizard will allow you to install the mobile component.
  13. In the Specops Password Reset Web Setup Wizard, click Next.
  14. Read and accept the license agreement, and click Next.
  15. Select the drop-box next to Password Reset Web Service (Mobile Access), and click Will be installed on local hard drive.
  16. Click Next.
  17. Click Install.

Installing the web component in DMZ

If the computer is in a workgroup, the recommended way of installing is the user interface in the setup assistant:

  1. Verify you have .Net 3.5 SP1 installed on the DMZ server.
  2. Do not select Update the Service Connection Point information during installation.
    NOTE
    This option will not be visible if the DMZ server is not joined in the domain.
  3. If the certificate is installed on the server you will be able to select/view the certificate in the setup assistant.
    NOTE
    If you are unable to select/view the certificate, continue with the setup assistant and select the SSL certificate in IIS manager/Default website/Bindings/https/Edit/.
  4. The DMZ zone that hosts your public facing DNS records will need to be updated with a record providing an easier site name to for end users to remember.
  5. Verify that port 4371 in your firewall is open to the internal Specops Password Reset Server.

If the computer in DMZ is member of a separate Active Directory domain for DMZ, the recommended way of installing is to install the MSI using a command line:

The following parameters are used in the command line script:

  • IISPARENTWEBSITE: Name of the parent web site, e.g. “Default Web Site”
  • REMOTINGSERVER: Name of the SPR server, that must be reachable from DMZ
  • IISTHUMBPRINT: TLS certificate
  
Copy

Command Line

MSIEXEC /i SpecopsPasswordResetWeb-x64.msi ALLUSERS=1 IISPARENTWEBSITE="Default Web Site" REMOTINGSERVER=spr.acme.org REMOTINGPORT=4371 SERVERINDMZ=1 IISTHUMBPRINT="‎" IISAPPLICATIONNAME=SpecopsPassword IISAPPLICATIONPOOLNAME=SpecopsPassword
                    IISHASSILVERLIGHTPAGES=false IISUSEWCF=false IISENABLESSL=true IISENABLEANONYMOUSAUTHENTICATION=true IISSECUREFOLDERS="Enrollment,Helpdesk"
        
		  
		  
      

Install the Administration Tools

Installing the Administration Tools will install the Specops Password Reset Configuration tool and the GPMC snap-in. You can use the Configuration tool to manage configurations that apply to your entire domain. You can use the GPMC snap-in to configure Specops Password Reset policies in a Group Policy Object. The GPO can then be applied to your entire domain or a part of your domain.

The Administration Tools should be installed on the computer that you want to administer the product from.

  1. From the Setup Assistant, select Administration Tools.
  2. Click Add menu ext. to register the Specops Display Specifiers in the configuration partition of your Active Directory forest.
  3. Click Install.

Installing the Specops Authentication Client

The Specops Authentication Client is installed with an MSI-based installer. Note that upgrading the Specops Authentication Client will overwrite the installed Client.

If installed, the Specops Authentication Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.

NOTE
Older versions of the Specops Authentication Client can be identified as “Specops uReset Client” or “Specops Password Client.”

The Specops Authentication Client can be used across the following Specops Software products:

  • Specops Password Reset
  • Specops Password Policy
  • Specops uReset

Upgrading the Specops Authentication Client

Organizations using Specops Password Policy only, need to deploy the Specops Authentication Client MSI. The CefSharp Runtime MSI is not required for this scenario.

Organizations using Specops uReset or Specops Password Reset, need to deploy the CefSharp Runtime MSI in addition to the Specops Authentication Client MSI. The CefSharp Runtime MSI is required by the Secured Browser used for resetting passwords.

Since the Specops Authentication Client uses a specific version of the CefSharp Runtime MSI, it is important to deploy the latest CefSharp Runtime MSI at the same time or before deploying the Specops Authentication Client MSI.

While the Specops Authentication Client MSI only can be installed with exactly 1 version, multiple versions of the CefSharp Runtime MSI can be installed at the same time. The purpose with this is to simplify deployment in a larger organization.

The recommended flow for upgrading the Specops Authentication Client is:

  1. Deploy the latest CefSharp Runtime MSI, if it's not already deployed
  2. Deploy the latest Specops Authentication Client MSI
  3. Undeploy any previous versions of the CefSharp Runtime MSI, if necessary
NOTE

When using Specops Authentication Client in conjunction with a password reset tool:

The latest CefSharp browser runtime version is required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Authentication Client itself.

Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Authentication Client can be upgraded. This will make it easier to make sure that the Specops Authentication Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.

The Specops Authentication Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.

Downloading the Specops Authentication Client

Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.

Deploying the Specops Authentication Client

To deploy the Specops Authentication Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Authentication Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.

Manually Installing or upgrading the Specops Authentication Client

  1. Open the Specops Authentication Client Setup wizard you just downloaded (.msi file)
  2. In the wizard, click Next.
  3. Accept the License Agreement by checking the checkbox, and click Next.
  4. Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Authentication Client\), then click Next.
  5. Click Install.
  6. Once the installation has completed, click Finish.

Configuring the Specops Authentication Client

The Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Authentication Client page.

Post-installation configuration


You will need to complete the following configuration settings once you have installed Specops Password Reset.

Import your license key

Enter your license key in the Password Reset Configuration Tool.

  1. Open the Specops Password Reset Configuration Tool.
  2. In the navigation pane, select License.
  3. Click Import License.
  4. Browse to the location of the TXT file, and click Open.

Verify that your domain is configured for use with Specops Password Reset

  1. Open the Specops Password Reset Configuration Tool.
  2. In the navigation pane, select Domains.
  3. Verify that your domain is listed under Configured Domains.

Enable authentication to the Password Reset Web Server

Add members to the Specops Password Reset local security groups

Install additional web servers you might want to use for external access

Refer to Install the Web Component in DMZ (if applicable)

If using Secret Question Authentication, ensure that users enroll in the systems

For information about the different enrollment options and best practices, see Specops Password ResetEnrollment Options and Best Practices.

Verify that the Specops Client is installed on your client machines

Perform the following steps on the client to determine that the Client has been successfully installed.

  1. View installed programs from the Control Panel:
    Option

    1. Open Programs and Features.
    2. In the list of installed programs, find Specops Authentication Client.
    NOTE
    You can also view the version of the Client.
  2. View installed programs from the Registry.
    Option

    1. Open the registry editor.
    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client
NOTE
The above key will only exist after the Client has been installed.

Verify security settings for administrative accounts

Windows contains many built-in security features designed to enhance the security around administrative accounts. One of these features is the adminSDHolder functionality, which automatically reconfigures the ACL on objects which are members of built-in privileged Active Directory groups. This process runs every 60 minutes on the PDC Emulator and will remove the inherited permissions of your Specops Password Reset service account from the protected user objects. If you want your administrative accounts to be able to use Specops Password Reset, you must manually add permissions for the service account to the AdminSDHolder container.

  1. Log in with an account with Domain Admin permissions and run the following command:
    Copy
    dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;"
                                "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;"Example:dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLEsprsvc:CCDC;classStore;" "EXAMPLEsprsvc:LC;;" "EXAMPLEsprsvc:CA;Reset
                                Password;" "EXAMPLEsprsvc:RP;userAccountControl;" "EXAMPLEsprsvc:RPWP;mobile;" "EXAMPLEsprsvc:RPWP;pwdLastSet;" "EXAMPLEsprsvc:RPWP;lockoutTime;"
                            
  2. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.
NOTE
Allowing Specops Password Reset to work with account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization.

Configure access to Active Directory Fine-Grained Password Policies

If Specops Password Reset is installed in a domain where fine-grained password policies are used, the Specops Password Reset Service Account must be granted permissions to read the configured password policies.

  1. Log in with an account with Domain Admin permissions and run the following command:
  2. Copy
    dsacls “CN=Password Settings Container,CN=System,<domainDN>” /I:T /G <serviceAccount>:GR;; Example: dsacls “CN=Password Settings Container,CN=System,DC=example,DC=com” /I:T /G EXAMPLEsprsvc:GR;;
  3. Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Configure your environment for use with the Mobile Access Web Service

If you installed the Mobile Access Web Service as part of the Specops Password Reset Web installation, you will need to complete the below steps before the service is ready for use within your organization.

Make the mobile Access Web Service reachable from the internet: Your firewall must allow communication on tcp port 443 so mobile device can connect to the service through https.

Enable service discovery: For the device to find the Mobile Access service, the application will require the user to enter their email address. The domain part of the email address will be used to make a DNS query to find a service record for the Mobile Access Web Service in the email zone. This requires each DNS zone to be updated with a new service record point to the Password Reset Mobile Access Service.

Create the Specops Password SRV record: The service record should be created in your mail enabled external DNS zone by you or your ISP depending on who manages the zone data.

The following settings should be used when creating the service record:

DNS record part Value Explanation
_service _tcp The “_specopspassword” service is accessed over tcp.
Zone Name [zone] This part is the name of your internet zone.
The full name of the service record for the “example.com” domain would be:
_specopspassword._tcp.example.com.
TTL [TTL] The time (in seconds) the record may be cached before it is considered obsolete.

Every zone has a default TTL value, but it is also possible to create separate TTLs for each record.
Class IN The standard DNS class field, This is always “IN”.
Priority 0 If more than one target host exists for the service record the priority determines the preference between targets.
Lower values mean higher preference.
Port 443 The “_specopspassword” service is accessed over SSL on port tcp/443.
If this configuration in changed on the web server the port data in the SRV record needs to reflect this as well.
Target [target FQDN] The target is the FQDN of the host running the Specops Password Reset Web Service.

For a host called “spr” in the example.com domain, the target would be:
spr.example.com

The complete record to connect clients to the host “spr.example.com” might look like this:
_specopspassword._tcp.example.com 86400 IN 0 0 443 spr.example.com

Test the service record: The service record can be tested by running the following command:

nslookup -type=SRV _specopspassword._tcp.[your_domain_name] 8.8.8.8

Expected response:
nslookup -type=SRV _specopspassword._tcp.example.com 8.8.8.8

Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
_specopspassword._tcp.example.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = spr.example.com

If you are using a proxy internally, you will need to add an exception to bypass authentication, and let the system browse to the Specops Password Reset web page without authentication.