- 30 Mar 2023
- 5 Minutes to read
- Contributors
- DarkLight
- PDF
Using AD-PWR
- Updated on 30 Mar 2023
- 5 Minutes to read
- Contributors
- DarkLight
- PDF
Using AD-PWR
If you are using HealthCast's Enterprise SSO product, ExactAccess (XA), you can configure XA to allow a user to launch AD-PWR to reset their password.
AD-PWR has two basic workflows: The Enroll workflow and the Reset workflow. Each of these is explained below.
Enroll in AD-PWR
A user must first enroll in AD-PWR before they can attempt to reset their password with AD-PWR. The enrollment process is simple. However, the user must know their Active Directory user name and password in order to enroll. A user may enroll in AD-PWR as many times as they like. Each time they enroll the previous enrollment is over-written with the new enrollment. So for example, if a user enrolls, but then later decides that they want to change their security questions and answers, they would then just re-enroll and the old questions and answers would be replaced by the new questions and answers. Following are the enrollment steps from a user perspective.
The user would launch AD-PWR using their web browser. To help a user find the AD-PWR enrollment website, the organization could send a link to the AD-PWR enrollment page to the user via email and then the user would simply click on this link to begin the enrollment process.
AD-PWR will first prompt the user for their Active Directory user name and password. The user enters them in the fields provided and then clicks the Continue button. (Note: The user name must be in the "username" form, not the UPN ("username@domain.com") or SAM account name ("domain\username").
At this point, AD-PWR will perform these checks:
Is the domain user account valid (i.e., does it actually exist on the domain)? If the account is valid, the next check is performed, otherwise the user is asked to try again.
Is the domain user account disabled or expired? Are the logon hours valid for the domain account? Is the account set so that the user cannot change the password? Does the account require that the password be changed on next logon? Is the domain account locked? If the answer to any of these questions is yes, then AD-PWR will inform the user that they can't enroll in AD-PWR.
Next, AD-PWR will check to see if the supplied password is valid. If it is not, the user is asked to try again. If the user supplies an invalid password a number of times such that their domain user account is locked, then they will be told that they can't use AD-PWR to enroll (per the previous step). However, once their account is unlocked they will be able to enroll with AD-PWR assuming they know their password.
Assuming the user has passed all the previous checks, the user is presented with a list of ten security questions. The user is asked to select three of the questions and click the Continue button.
Next, the user is asked to answer their chosen security questions. The user must answer all three questions. The requirements for the answers to the questions are listed for the user. These requirements are:
- The answer must be longer than three (3) characters.
- The answer must not contain all the same character.
- The answer must not be the same as the question.
- Each answer must unique (i.e., they cannot repeat an answer that they used for another question).
After providing their answers the user then clicks the Continue button.
- That completes the enrollment process. The user is shown a message that they have successfully enrolled in AD-PWR and that they can use AD-PWR to reset their password if they forget their password.
Reset Password using AD-PWR
A user must first enroll in AD-PWR before they can attempt to reset their password with AD-PWR.
To begin the reset process, the user must first enter their Active Directory user name, then click the Continue button. (Note: The user name must be in the "username" form, not the UPN ("username@domain.com") or SAM account name ("domain\username")
At this point, AD-PWR will perform these checks:
Is the domain user account valid (i.e., does it actually exist on the domain)? If the account is valid, the next check is performed, otherwise the user is asked to try again.
Is the domain user account disabled or expired? Are the logon hours valid for the domain account? Is the account set so that the user cannot change the password? Does the account require that the password be changed on next logon? If the answer to any of these questions is yes, then AD-PWR will inform the user that they can't reset their password. However, if the domain account is locked, AD-PWR will allow the user to reset their password.
Next, AD-PWR will check to see if the user is enrolled. If they are not enrolled in AD-PWR then they will be shown a message that they can't reset their password using AD-PWR.
Finally, AD-PWR will check to see if the user is allowed to reset their password. This check involves looking to see if user had unsuccessfully attempted to answer their security questions within the last 24 hours. In other words, if a user is trying to reset their password and they unsuccessfully answer their security questions, AD-PWR will not allow the user to use AD-PWR to reset their password for 24 hours.
Assuming the user has passed all the previous checks, the user is then presented with one of their security questions. (Note: AD-PWR randomizes the order in which the user's questions are presented.)
If the user answers the question correctly, they are taken to the password reset screen (see next step). If they do not answer the question correctly then they are presented with their next security question. If they answer that question correctly, they are taken to the next step. If they do not answer it correctly they are presented with their final question. Again, if they answer that question correctly they are taken to the next step. However, if they fail to answer the final question correctly then they are shown a message and they be unable to use AD-PWR to reset their password. AD-PWR will ensure that the user cannot use AD-PWR to reset their password for 24 hours, and their domain user account will be locked.
Assuming the user correctly answered one of their security questions, the user then is taken to a screen where they can enter a new and confirm new password. These must match and meet domain password requirements. (Note: In this release AD-PWR does not present the domain password requirements to the user).
If the user has selected a valid new password, then the password is changed for the domain user account to the password that the user selected, and if the domain account is locked it will be unlocked.
AD-PWR must be configured to require SSL connections. If you do not do this user names and passwords will be sent across the network in clear text. HealthCast will not support an AD-PWR deployment without using SSL.