Directory Password
  • Overview
  • Features
  • Evaluating
  • Requirements
  • Installation
  • Version History

Simple, low cost self service resetting passwords and unlocking accounts

Password resets and unlocking user accounts consume as much 30% of some organization’s Help Desk resources. Directory Password is an extra-cost add-on product for Directory Update v2.0 The user uses Directory Update to answer a series of security questions; the questions and answers are stored (encrypted and hashed) in the Active Directory.

Later, if you the user’s account is locked or if they have forgotten their password, they can unlock their account or reset their password using the Directory Password web interface. The user must be able to access a Web browser from a neighbor’s computer or a kiosk.

Directory Password is designed to be an add-on product for Directory Update and thus requires the newest build of Directory Update v2.1 or later. Directory Password is configurable and allows you to customize it to fit your password and security requirements

  • Allows user to unlock their account if they have locked it
  • Allows the user to reset their password if they have forgotten it
  • User can unlock / reset from any web browser
  • List of questions possible questions is customizable
  • Administrator selects the number of questions (up to 10) that the user must pre-answer
  • Administrator selects the number of questions the user must answer in order to unlock their account or reset their password
  • Password strength is customizable
  • SQL or standalone database is not required
  • File auditing and e-mail notifications

Question and Answer Storage

Directory Password does not require a separate database instance. Instead, we store question and answer data in each user’s object in Active Directory. The questions that the user selects and the answers provided are stored in the PostalAddress. Questions are encrypted and the answers are hashed using an irreversible hash.

We use homePostalAddress to store incorrect logon count information. Both of these attributes are not frequently used in Active Directory and hold 4KB worth of information. The attributes that are used can be changed using the AppSettings.XML file. The Question and Answer data is not visible to the administrator.

No pressure. No annoying salesmen. No registration. Just download the software.

Like our other software, we strongly urge all potential customers to download Directory Password, install it in your environment, and customize it for your use. You will see how easy it is to get Directory Password up and running.

You can download a fully functional from the Downloads section of our Web site; the evaluation will be fully functional for 10 days with no limitations. We will not ask you for your e-mail address, telephone number, or first born; all you have to do is download the software. And, if you run in to problems and have a question, we will give you the same great support we give our customers.

If you choose to buy the product, you can keep your customized configuration. Using the Configuration wizard edit the Directory Password installation to add your license key and domain name.

Directory Password will work on any server on which Directory Update v2.0 is already installed. Directory Update v2.x must be installed on the same IIS server as Directory Password.

Active Directory Requirements

Directory Password works against all versions of Active Directory including Windows 2000, Windows 2003, Windows 2008, and Windows 2008 R2.

Exchange Server Requirements

Directory Password has no Exchange Server requirements.

Server Operating System

  • Windows Server 2003 with SP2 (x86 or x64)
  • Windows Server 2003 R2 with SP2 (x86 or x64)
  • Windows Server 2008 with SP1 (x86 or x64)
  • Windows Server 2008 R2 or SP1

Either the Standard Edition or Enterprise Edition is supported. Either a physical server or virtual server is supported. For Windows Server 2008, you must install the full installation. Server Core installations are not supported.

Internet Information Server

  • Internet Information Service (IIS) 6, 7, or 7.5
  • IIS 6 compatibility components must be installed if using Windows Server 2008
  • ASP.NET must be enabled
  • .NET Framework v3.5 must be installed/enabled
  • Integrated Windows Authentication must be enabled

Microsoft/Windows Updates

Once the prerequisites are installed, we strongly recommend that you perform a Microsoft Update and install all recommended and critical updates.

Interoperability with Other Web Applications

Directory Password usually works fine with most web applications running on the same IIS server provided the server remains in a minimum of IIS 6 mode. Directory Search can co-exist on the same IIS server as other Ithicos Solutions products. We recommend against running Directory Search on the same server with Microsoft SharePoint.

Service / Proxy Account

During the Directory Password installation, you will be prompted for a service/proxy account. All password resets are performed using this account. This is account must have the Active Directory permissions necessary to reset user's passwords. We recommend making the account a member of the domain's Account Operators group.

  • Name the account something recognizable such as SVC_DirectoryPassword
  • Proxy account password should have a strong password (15 characters)
  • Proxy account’s password must not expire

Application Pool

An application pool is a memory space in which a web application executes. Web applications are assigned to the DefaultAppPool by default and that is usually fine. However, we recommend creating a dedicated application pool for Ithicos applications so that they run in a separate memory space and using the NetworkService security context.

  • Name the application pool something like IthicosAppPool
  • Application pool identity must run as the NetworkService user
  • 32-bit mode must be disabled

Installer’s Account

The person that installs Directory Password should use a user account that is both a domain account and a member of the server’s local Administrators group.

Secure Sockets Layer (SSL)

SSL is a security layer that protects HTTP data as it is transmitted across your network or the Internet. We strongly recommend that any web site that transmits personal or sensitive data use SSL. Directory Password will work on a web site that uses SSL or not.

SSL uses a certificate that is “signed” by a certificate authority. We recommend that the certificate be issued by a certificate authority (CA) that is trusted by the browser clients that your users will be using. This prevents security warnings; users should never get used to ignoring security warnings.

Enabling SSL is a feature of Internet Information Server. The process will depend on the operating system.

Follow these links:

Browser Requirements

Directory Password uses ASP.NET and AJAX controls to create some enhanced functionality within the browser; some call this Web 2.0 technology. This means that it is not as simple as a standard web page and thus browsers must be carefully tested.

Our current releases support the following browser versions:

  • Internet Explorer 8.x
  • Internet Explorer 9.x
  • Firefox 4.x or later

We only update current versions of our software when a new browser is released. This does not mean that older browses ( such as IE 7) or other browsers (Safari or Chrome) will not work, but we may not be able support them if you have problems. We recommend customers stay on software maintenance so that they can upgrade to newer builds of the software as they become available.

Directory Password is simple to install as long as the prerequisites all installed. Download the latest version from our Web site and unzip the DirectorySearch.msi file. Place the MSI file on the server’s local hard drive, such as in the c:\temp folder.

warningDirectory Update v2.x is required and must be installed on the same IIS server. 
Directory Update v2.x must be installed first.
              

You can usually just double-click on the MSI file to launch the installer, but on Windows Server 2008, the User Account Control security settings may be set so tightly that you have to launch the installer from the command line (don’t forget to “Run As Administrator”) like so:

msiexec.exe /i c:\temp\DirectoryPassword.msi

  1. On the installation wizard welcome screen, Click Next

  2. On the License Agreement screen, click “I Agree” and then click Next

  3. On the Select Installation Address, most installations use the defaults. From this screen, you can select a different web site, virtual directory name, or application pool. When you have made your selection, click Next.

  4. On the Confirm Installation screen, click Next

  5. The installation takes between 30 seconds and 1 minute and then the Directory Settings configuration screen appears. You may have to select it from the task bar as it sometimes appears “behind” the installer.

  6. On the Directory Settings screen, enter the host name of the domain controller, then DNS domain name of your Active Directory domain, the service/proxy account (in domain\username format), and the proxy account password. A common configuration problem is entering the FQDN name of the domain controller in the Domain Controller text box; this text box is for the host (short) name of the domain controller. Click the “Test Directory Settings” button and then click Next.

  7. Directory Settings screen

  8. On the Licensing Information Screen, copy and paste the organization name and license key that you were provided after you purchased the software. If you select the Evaluation checkbox, the software is fully functional in Evaluation mode for 10 days and you can run the configuration wizard later to provide the licensing information. Click Next when finished.

  9. On the Directory Password Information screen, click Next

  10. On the Installation Complete screen, click Close

  11. Immediately test the installation by using a Web browser to visit http://localhost/DirectoryPassword (the default URL if you are checking from the console of the server) or http://yourservername.yourcorp.local/DirectoryPassword (if you are checking from elsewhere on your network.

You can now proceed to customizing the application.

Installation Checklist

  1. Test the default installation (with no customizations)

  2. Create or use a dedicated IIS application pool for Ithicos applications.

  3. View / Edit the AppSettings.XML file to confirm that the field names, notification settings, and logging are configured the way you want.

  4. View / Edit the PasswordSettings.XML file to confirm the password policy is at least as strict as your Windows policy.
  5. Enable file logging and/or auditing in the AppSettings.XML file.

  6. Set file system permissions for photos and log files (if necessary)

Enabling the Password Management tab in Directory Update

Before users can use Directory Password, they first have to answer their security questions in Directory Update. The Password Management tab in Directory Update does not appear by default. Locate the following line in the Directory Update AppSettings.XML file:

<passwordManagement text="Password Management" enabled="yes">
              

This is where you enable the Password Management tab for Directory Update.

File System Permissions

If you wish to allow Directory Password to record a text (CSV) file log of all changes made using Directory Password, you must give the NETWORK SERVICE the following persmissions to the .\Logs folder: Modify, Read & Execute, List Folder Contents, Read, and Write. The .\Logs folder is found (by default) at c:\inetpub\wwwroot\directorypassword\Logs.

Directory Password v1.0

  • Original version of Directory Password

  • Integrates with Directory Update v2.0/v2.1