Sitemap

Self-Service Password Reset (Setup Guide)

Use KeePass with Pleasant Password Server

This Article Applies to: Enterprise or higher editions, Stand-Alone Reset Server

Password Server users can reset their passwords if they have enrolled their Security Question Answers.

Administrators can setup a Challenge Policy which specifies the number and type of Security Questions that will be asked.

The following User Types can reset their passwords through Password Server:

  • Local Users only (Enterprise edition) - created in Password Server
  • Directory Users (Enterprise+ edition) - imported from a User Directory
  • Reset Users (Reset Users purchased) - imported from a User Directory

 

Prerequisites:

  • Valid Certificate - imported using the Pleasant "Service Config" program (in windows start)
  • Directory Connection - "Use SSL/TLS" connection with Microsoft Negotiate authentication

1. Create a Reset Challenge

Reset Challenges allow the Administrator to specify the Security Questions that must be answered to reset their password.

Create a Reset Challenge
 

  • IMPORTANT:
    • The Reset Challenges must have a User Policy assigned to them to function.
    • Reset Users will automatically be imported with the Default Reset Policy from step 1.
    • Enterprise+ Users can have multiple Policies and thus multiple Reset Challenges assigned to them. 

 

 Set Reset Policies

2. Create / Import Users

  • Create Password Server Users (Local user):
    • Click the "Add New User" button in the Users screen
    • Click "Email Address Confirmed" - to confirm the email address. Without this the user will not receive emails.
  • Import Users (AD/LDAP directory users):

    • See our guide to Importing Users via AD/LDAP
    • The user account listed in Directory Credentials will be the one used to reset the users' passwords, and must have permission on the AD/LDAP directory to reset user passwords.
    • Confirm Allow Password Changes is selected in your set up, which:
      • allows users to reset their own passwords,
      • allows administrators to reset user passwords,
      • allows users imported from the directory to change their passwords

 Import Reset User settings

  • Once a user list can be retrieved, import as Reset Users.

 Import visible or selected reset users

3. Setup Email

  • To setup email integration, navigate to Settings > Email

4. Customize Enrollment Reminder Email (Enterprise+) 

  • Enterprise+ customers have the option to customize the email reminder which gets sent to unenrolled users.
  • We recommend to check how your URL displays, since the server is aware of the short NetBIOS name (network name), but may not be aware of the fully qualified domain name (FQDN).
  • Note: For Users to receive email from the system the Email integration must be setup and the users must have a "Confirmed" email address

 Enrollment Reminder email

5. (AD/LDAP) Configure Your Group Policy (or Local Security Policy)

  • If you are not integrating with AD/LDAP you may ignore this step
  • Directory users' passwords will still need to comply with the password policy on the Group Policy, for example, Password requirements for:

    • Minimum password length,
    • Complexity requirements,
    • Enforce password history (Cannot re-use passwords)
    • Maximum Password Age = 0 days (recommended)
    • Minimum Password Age = 0 days (Changing this value is not supported at this time)
  • These settings can be found in GPedit.msc (Group Policy) or Secpol.msc (Local Security Policy)

    • For example:
      • GPEdit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

6. ("Reset Users") Set the Reset User Policy 

This step only applies if you have purchased "Reset users", which can only Reset their Directory Password. They cannot use passwords/view folder entries.

  • If you have reset users, you can specify a specific policy just for these users:
    • existing Policy, or,
    • create a new User Policy just for Reset Users
  • Reset Users will be assigned to the Default Reset Policy, which can be changed in:

    • Users and Roles > Manage Policies > Global Settings > Edit,  Default Reset Policy

Create a default reset policy

7. Manage Enrollment

  • To view all users who can answer Security Questions in your challenge policies, navigate here:
    • Users and Roles > Manage Reset Users.
  • The User Enrollment Report - displays users that have answered the security questions, and can be found under:

    • Users and Roles> Enrollment Status
      • This will display all Reset Users and their current status.
      • This allows you to send a welcome/reminder email to your users
  • Email a Welcome email to users who are not Enrolled: email a welcome email with a link to setup their Reset Challenge answers.

    • Note: For Users to receive email from the system the Email integration must be setup and the users must have a "Confirmed" email address

Manage User Enrollment

 

8. User Enrollment

Users must answer the Security Questions to complete the enrollment and use the Password Reset. Users are not considered enrolled until they have setup all the requirements of their Reset Challenge.

  • There are 3 ways for users to arrive at the Answers page:
    • Prompt after login - will bring them to fulfill the enrollment
    • Enrollment Reminder email - will provide a link to the page
    • Navigate from their user profile
  • When users log in, they can navigate to a Configuration page:

  • Click username (top right-hand corner) > Manage Account > Click on Set Answers (link) in the Security section

  • Here users can set their basic information, update their questions, and set up any required two-factor providers.

 Manage Account Profile

9. Self-Service Password Reset

Once users are enrolled, they can reset their passwords via:

  • The Forgot Password link on the Web Client Login Page (https://localhost:10001/Account/ForgotPassword, by default), or,
  • The Windows Login Integration Client

 Self-Service Password Reset

 

Troubleshooting

Double-check the following settings:

  • Missing Reset Link on Login Page:
    • We will no longer see a "forgot password" link on the login page unless the challenges have been set up in full (as of 7.10.18 version).
    • Administrator must first complete the Challenge Policy setup (Security Question setup).

 

  • User is not Enrolled:
    • Check if the user is enrolled, using the User Enrollment Report
    • The User's policy needs to be setup with a Challenge Policy
    • A directory user needs to setup their security question answers, before using the Login Reset.
    • Check that the User's status matches the conditions of the Challenge Policy
      • eg. is the user created yet, are they enrolled, is 2FA setup, etc.

 

  • The Challenge Configuration Doesn't Allow Resets:
    • "Allow Resets" must be enabled:
      • Manage Login Reset Challenges > Challenge Configuration > Actions > Edit > Edit Challenge Policy > Allow Resets = Enabled

 

  • Directory Doesn't Perform Password Changes:
    • "Allow Password Changes" must be set on the directory
    • The "Use SSL" option must be selected to change passwords (over LDAPS)
    • The Directory Connection user account (configured in the AD/LDAP Directory setup) will be used to reset the users' passwords.
      • This account must have permission on the directory to reset user passwords.

 

  • Certificate & Encrypted Connection:
    • AD requires password resets over TLS/SSL
      • Import certificate using Service Config utility (in windows start menu)
      • Set the "Use SSL" checkbox in the AD/LDAP directory connection page

 

  • Viewing Detailed Errors:
    • A general error message (purposely discreet) may indicate specific errors that will help resolve the problem
      • Administrators can find more information in the Event Logging or Detailed Logs

 

  • AD Password Group Policy Requirements
    • AD user passwords will need to comply with the AD group policy (see step 5 above):
      • for example, Password requirements
    • Changing the Minimum Password Age value may cause problems
      • e.g. min password days = 2

 

  •  Pleasant.Identity Password set Failed Error:
    • Some users reported getting the above error when attempting to reset their user passwords.
    • Upon reviewing the "minimum password age" in default domain policy they indicated it was set to 2 days. Changing to 0 will allow passwords to be reset as expected.