Technology Login Prompt Access to Password Reset
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Login prompt access to password reset

Password reset for on-site, locked-out users:

Hitachi ID Password Manager can be configured with an SKA, implemented as a special user, user group and group policy object (GPO) in AD. (Configuration under NT domains and NDS environments is similar, but uses the native workstation policy mechanisms.)

Users who forget their passwords can log into AD from their own workstation with the SKA account -- typically called "help" and with an easy-to-remember or blank password.

The GPO attached to this account replaces the default Windows shell with special binary, loaded from a UNC on the Password Manager server. This launches a kiosk-mode web browser on the user's workstation, at a URL that allows the user to perform a self-service password reset.

The GPO prevents the SKA account from being abused:

The SKA allows users of Windows / Active Directory domains with any Windows workstation to access self-service password reset without installing client software.

The SKA is easily deployed and centrally controlled and monitored.


Watch a Movie

Locked out Windows user resets own password (no software footprint)


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs any version of Windows.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available using a secure kiosk account.
  • This approach eliminates the need to install any software on the PC.
  • The trade-off is a special domain account, typically called help which every user can sign into but which has minimal security entitlements.

Password reset for remote, locked-out users:

When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.

A LSKA, GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX).


Watch a Movie

Locked out Windows 7 user resets own password


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs Windows 7.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available as a credential provider (CP).
  • The CP can be installed on Windows Vista and Windows 7 workstations.

Extending the login prompt GUI:

Instead of deploying an SKA account, where users are required to type HELP to sign into the self-service user interface, Hitachi ID Systems customers may elect to deploy a GINA extension service on workstations, which extends the user interface of the workstation login subsystem (GINA) by adding a button that launches a locked-down kiosk-mode web browser.

The GINA option has pros and cons: it is slightly more user friendly (press a button rather than typing "help") and eliminates the password-less SKA account. On the other hand, it requires a software footprint on every workstation, which must be validated against every computer image and operating system patch, to ensure interoperability.

Note that a GINA DLL is not installed on user PCs, even for this option. This is helpful, since buggy GINA DLLs or incorrect un-installation sequence can render a PC inoperable.


Watch a Movie

Locked out Windows XP user resets own password


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs Windows XP.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available as service installed on Windows XP workstations.
  • The service is not a GINA DLL. Instead, it adds UI elements to the native GINA on the fly.
  • This architecture is less risky than installing a DLL into the GINA DLL chain.