DirX Password Reset Client - Installation and Configuration

This chapter describes the installation and configuration of the DirX Password Reset Client and partly of the corresponding Web Service.

The back end site consists of

Provisioning Servlet (deployed in a Tomcat server)
DirX Identity system with at least Java-based server and messaging server (Active MQ)
Active Directory (as a connected directory; could be several ones)

Abbreviations used in this document:

DPRS: DirX Password Reset Server (backend server connected to the customer Active Directory)
DPRC: DirX Password Reset Client (Windows credential provider on customer client PC)

Supported modes:

DPRC supports two different modes:

Kiosk mode: In this mode a pre-configured local account is used to setup the VPN connection to the corporate Domain controller to set the password in Active Directory and to cache the password on the client side. This mode supports corporate and Internet LAN/WLAN environments (no hotel scenarios). As VPN software the customer-specific VPN software can be used.
Pure credential provider mode: In this mode no local account is used. This mode also supports corporate and Internet LAN/WLAN environments (no hotel scenarios). The difference to the kiosk mode is that the VPN software must allow setting up a connection at pre-login state. So far, only Juniper Pulse does allow that. This mode also supports smart card authentication in corporate networks.

Prerequisites:

DPRS is set up
Client PC is installed with Windows 10.
Client PC is connected to internal corporate LAN or to external LAN (Internet) or pre-defined WLAN
If the smart card option is used: PKI base client 5.7 or 5.8 with Atos Card OS API V5.2 or higher is installed on the PC.
Note: The smart card option is possible only in corporate networks.
If VPN is used: For pure credential provider mode, Juniper Pulse version 5 is installed and pre-configured. For kiosk mode, the relevant VPN software is installed and pre-configured.

Functional information:

The DPRC offers three operation modes that can be combined:
Smart card option (in corporate networks only)
Authentication questions option
Mobile OTP (one-time password) option
A combination of these 3 options
The dialog language corresponds to the Windows system language setting. If the current Windows 7 language is not supported by the password reset client, the dialogs are displayed in English.
The password reset uses the combination of account and domain name – not the username.
Smart card option only: If a user (real person) has multiple accounts or the same account name across multiple domains, the password reset detects the correct account based on the combination of domain name, account name and GID (serial number from smart card).
Smart card option only: The email address from the certificate is always extracted and sent in the request.
Smart card option only: The GID is extracted from the certificate (on client side) and the AD account import (server side). The validation on server side checks that the AD account GID string contains the client certificate GID. Therefore, functional users with a GID string like prefix-GID-suffix can reset their account password as well.
Smart card option only: The certificate on the smart card must be applicable for digital signatures. The DPRC will display only such certificates.
Smart card option only: The issuer of the root CA certificate must be in the local computer store of the client.
Authentication questions only and Password dialog: The password reveal button and an informal note on which keyboard layout is activated is integrated.
Authentication questions only: Hostname check can be configured. If activated, the hostname and the domain of the host (which can be a different domain than the one from the account) is sent in each request to the back end. On the backend, an additional check on these attributes can be configured (registry key: computerSIDoption).

License information:

The Visual C++ Redistributable Package for Visual Studio 2017 is Microsoft license-free software
The Microsoft .NET Framework 4.7.2 package is Microsoft license-free software
The DPRC itself is licensed within the DirX Identity Product
License relevant DPRC build regarding 3^rd party SW:
JavaProperties reader license: Apache
(http://www.apache.org/licenses/LICENSE-2.0.html)
NSpring for Logging
(see section “NSpring terms of use” at the end of the document)

DPRC Installation

Installation Files

The DPRC installation consists of following files:

AtosPasswordResetClient.msi - the DPRC application package
AtosPasswordResetClient.reg – configuration file for customizing registry settings

Prerequisites are:

Microsoft Visual C++ 2017 Redistributable - x64 - 14.16.27029 or higher
Microsoft .NET Framework 4.7.2 or higher

Both prerequisites must be installed beforhand.

DPRCInstaller

The AtosPasswordResetClient.msi is a standard MSI installer file that can install DPRC without the bootstrapper if the prerequisites are already met. The default folder where DPRC is installed is C:\Program Files\Atos\Password Reset Client.

The installer supports 2 modes to install:

1) Kiosk mode

The kiosk mode uses client-side SSL connection to the Password reset service. Therefore, the relevant certificates must be installed.

The following must be pre-installed or prepared:

Microsoft Visual C++ 2017 Redistributable x64 or higher
Microsoft .NET Framework 4.7.2 or higher
VPN software, e.g. Junos Pulse 5.0 (Juniper Networks)
The root CA certificate of the Password reset service is installed in the Trusted Root Certification Authorities folder in the computer store.

The kiosk mode must be installed in the following sequence

Stop msiserver service:
sc stop msiserver

Set SEBackupPrivilege for msiserver service:

sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege

this is one command line!.

Call the installer:
msiexec /I AtosPasswordResetClient.msi KIOSKMODE=1

Reset privileges for msiserver service:

sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege

Call DPRCCertUtil utility to import the client certificate into a new folder in the computer store and to grant access to the certificate for the local account:
```
DPRC_INST_PATH\APRCCertUtil.exe -install -f <clientstore.p12> -p <p12password>
```
Exchange the installed VPN scripts in folder DPRC_INST_PATH\VPN. In the scripts the path to the VPN command-line executable, the VPN service URL, and the realm name must be adopted.

In the event log 2 informational entries from Source “AtosPasswordResetClient” should be seen (one for the local account and one for the reg file).

2) Pure credential provider mode

The following must be pre-installed or prepared:

Microsoft Visual C++ 2017 Redistributable x64 or higher
Microsoft .NET Framework 4.7.2 or higher
Junos Pulse 5.0 VPN software
Prepare the AtosPasswordResetClient.reg file

The pure credential provider mode must be installed in the following sequence

Calling installer:
msiexec /I AtosPasswordResetClient.msi KIOSKMODE=0

To reinstall the same DPRC version or install this version over a previous version, the previous instance must be uninstalled. This is because of an issue in the Microsoft Studio Installer extension in use. It means that a higher version of the DPRC cannot be installed without uninstalling the previous version.

De-installation

For the kiosk mode, the uninstallation must be done in the following order:

Call DPRCCertUtil utility to delete the client certificate from the Atos folder in the computer store and to revoke access to the certificate for the local account:
DPRC_INST_PATH\APRCCertUtil.exe -uninstall
Call the standard Windows package uninstallation routine. The uninstallation will delete the local account.

For the pure credential provider, there is no extra step to perform.

DPRC Registry Configuration File

The following table contains all configuration parameters in the registry. The option column shows which entry is relevant for ALL options (ALL), smart card option (SC), authentication questions option (AQ). If both options are set in the registry then both SC and AQ are relevant.

This version fetches the password policy from the domain (via the web service) or takes it from registry. This is defined via two registry options.

Note that this version supports the domain setting "Windows compatible policy" which only makes sense together with the password length setting.

Name	Type	Option	Default value	Remarks
SmartCardOption	DWORD	ALL	1	Smart card option; possible values 1 or 0
ChallengesOption	DWORD	ALL	1	Authentication questions option; possible values 1 or 0
OTPOption	DWORD	All	1	Mobile OTP option; possible values 1 or 0
DefaultOption	String	ALL	SmartCardOption	Defines which option is first in drop-down list to choose from.
VPNOption	DWORD	ALL	1	Defines if VPN scripts should be called
KioskModeOption	DWORD	ALL	1	Defines the kiosk mode option when set to 1 otherwise pure credential provider mode
ClientCertificateSubject	String	ALL	empty	Subject of the client certificate
ClientCertificateStoreName	String	ALL	Atos Password Reset	Name of the folder in which the client certificate is searched in
ComputerSIDOption	DWORD	ALL	0	Defines if the long hostname and computer domain name is put in every request.
KioskModeParam	String	ALL	empty	Internally used for kiosk mode
InstallDir	String	ALL	C:\\Program Files\\Atos\\Password Reset Client\\	Installation directory (do not change)
RootCAIssuer	String	SC	Identity	String value that must match issuer in the chain of CA certificates; can be left empty
ServerCertIssuer	String	SC	Identity	String value that must match issuer in the web service certificate (https); can be left empty
SslServerCertificateSubject	String	SC	<empty>	String value that must be in the subject of the web service certificate; can be left empty
CompanyName	String	ALL	Atos	String value that is not allowed in passwords; can be left empty
Vendor	String	ALL	Atos IT Solutions and Services GmbH	Vendor (do not change)
EndpointURL	String	ALL	https://host:port/servlet-name/services/Spmlv2RequestService	URL of the corporate web service; host, port and servlet-name must be customized
EndpointURLExternal	String	ALL	https://external-host:external-port/ servlet-name/services/Spmlv2RequestService	URL of the external web service; host, port and servlet-name must be customized
WildcardCertificate	DWORD	ALL	0	Defines if the server certificate can be a wildcard certificate
VerifyCorporateURL	String	ALL	http://corporate-host:corporate-port	URL of a second internal accessible web site or service (used to verify internal network connectivity even if internal reset service is down)
InactivityTimeout	DWORD	ALL	180	Set the timeout (in seconds) after which DPRC will be closed if no input from the user occurs (mouse move or keyboard). If set to 0 then this is disabled.
BindingSendTimeout	DWORD	ALL	60	Sets the interval of time (in seconds) provided for a write operation to complete before the transport raises an exception.
BindingOpenTimeout	DWORD	ALL	60	Sets the interval of time (in seconds) provided for a connection to open before the transport raises an exception.
BindingReceiveTimeout	DWORD	ALL	600	Sets the interval of time (in seconds) that a connection can remain inactive, during which no application messages are received, before it is dropped.
GetStatusInterval	DWORD	ALL	5	Interval (in seconds) that the GetStatus request is executed as long as “pending” is returned.
GetStatusTimeout	DWORD	ALL	60	Timeout value (in seconds) for the GetStatus request.
LogLevel	String	ALL	INFO	Defines which kind of log messages is written. Possible values in order: DEBUG, INFO, WARNING, ERROR. If set to INFO then informal and higher messages are written.
LastLoggedOnSAMUserBackup	String	ALL	empty	Used for kiosk mode to save the last logged on username
PwdMinCharLength	DWORD	ALL	8	The minimum length of the password.
PwdMaxCharLength	DWORD	ALL	20	The maximum length of the password.
PwdMinLowerChar	DWORD	ALL	0	The number of lowercase characters required for the password.
PwdMinUpperChar	DWORD	ALL	0	The number of uppercase characters required for the password.
PwdMinNonAlphaNum	DWORD	ALL	0	The number of non-alphanumeric characters required for the password. Non-alphanumeric characters comprise all characters that are not letters and numbers.
PwdMinSpecialChar	DWORD	ALL	0	The number of special characters required for the password. Special characters comprise all characters besides letters.
PwdMinNumeric	DWORD	ALL	0	The number of numeric characters required for the password.
PwdProhibitChars	String	ALL	""	Defines prohibited characters ,e.g. äöü
PwdInHistory	DWORD	ALL	3	Defines the number of passwords that are stored in the history record (in DirX Identity).
PwdWindowsCompatible	DWORD	ALL	1	Defines the Windows password complexity requirements.
AutoSelectSingleCertificate	DWORD	ALL	0	In case of smart card option, defines whether the list of valid and useable certificates on the smart card is shown (with selection option).
UsePoliciesFromService	DWORD	ALL	1	Defines if policies are fetched from service. Only one of these values must be “1”.
UsePoliciesFromRegistry	DWORD	ALL	0	Defines if policies are taken from registry (not from service) Only one of these values must be “1”.

Name

Type

Option

Default value

Remarks

SmartCardOption

DWORD

ALL

Smart card option; possible values 1 or 0

ChallengesOption

DWORD

ALL

Authentication questions option; possible values 1 or 0

OTPOption

DWORD

All

Mobile OTP option; possible values 1 or 0

DefaultOption

String

ALL

SmartCardOption

Defines which option is first in drop-down list to choose from.

VPNOption

DWORD

ALL

Defines if VPN scripts should be called

KioskModeOption

DWORD

ALL

Defines the kiosk mode option when set to 1 otherwise pure credential provider mode

ClientCertificateSubject

String

ALL

empty

Subject of the client certificate

ClientCertificateStoreName

String

ALL

Atos Password Reset

Name of the folder in which the client certificate is searched in

ComputerSIDOption

DWORD

ALL

Defines if the long hostname and computer domain name is put in every request.

KioskModeParam

String

ALL

empty

Internally used for kiosk mode

InstallDir

String

ALL

C:\\Program Files\\Atos\\Password Reset Client\\

Installation directory (do not change)

RootCAIssuer

String

Identity

String value that must match issuer in the chain of CA certificates; can be left empty

ServerCertIssuer

String

Identity

String value that must match issuer in the web service certificate (https); can be left empty

SslServerCertificateSubject

String

<empty>

String value that must be in the subject of the web service certificate; can be left empty

CompanyName

String

ALL

Atos

String value that is not allowed in passwords; can be left empty

Vendor

String

ALL

Atos IT Solutions and Services GmbH

Vendor (do not change)

EndpointURL

String

ALL

https://host:port/servlet-name/services/Spmlv2RequestService

URL of the corporate web service; host, port and servlet-name must be customized

EndpointURLExternal

String

ALL

https://external-host:external-port/ servlet-name/services/Spmlv2RequestService

URL of the external web service; host, port and servlet-name must be customized

WildcardCertificate

DWORD

ALL

Defines if the server certificate can be a wildcard certificate

VerifyCorporateURL

String

ALL

http://corporate-host:corporate-port

URL of a second internal accessible web site or service
(used to verify internal network connectivity even if internal reset service is down)

InactivityTimeout

DWORD

ALL

180

Set the timeout (in seconds) after which DPRC will be closed if no input from the user occurs (mouse move or keyboard). If set to 0 then this is disabled.

BindingSendTimeout

DWORD

ALL

Sets the interval of time (in seconds) provided for a write operation to complete before the transport raises an exception.

BindingOpenTimeout

DWORD

ALL

Sets the interval of time (in seconds) provided for a connection to open before the transport raises an exception.

BindingReceiveTimeout

DWORD

ALL

600

Sets the interval of time (in seconds) that a connection can remain inactive, during which no application messages are received, before it is dropped.

GetStatusInterval

DWORD

ALL

Interval (in seconds) that the GetStatus request is executed as long as “pending” is returned.

GetStatusTimeout

DWORD

ALL

Timeout value (in seconds) for the GetStatus request.

LogLevel

String

ALL

INFO

Defines which kind of log messages is written. Possible values in order: DEBUG, INFO, WARNING, ERROR. If set to INFO then informal and higher messages are written.

LastLoggedOnSAMUserBackup

String

ALL

empty

Used for kiosk mode to save the last logged on username

PwdMinCharLength

DWORD

ALL

The minimum length of the password.

PwdMaxCharLength

DWORD

ALL

The maximum length of the password.

PwdMinLowerChar

DWORD

ALL

The number of lowercase characters required for the password.

PwdMinUpperChar

DWORD

ALL

The number of uppercase characters required for the password.

PwdMinNonAlphaNum

DWORD

ALL

The number of non-alphanumeric characters required for the password. Non-alphanumeric characters comprise all characters that are not letters and numbers.

PwdMinSpecialChar

DWORD

ALL

The number of special characters required for the password. Special characters comprise all characters besides letters.

PwdMinNumeric

DWORD

ALL

The number of numeric characters required for the password.

PwdProhibitChars

String

ALL

Defines prohibited characters ,e.g. äöü

PwdInHistory

DWORD

ALL

Defines the number of passwords that are stored in the history record (in DirX Identity).

PwdWindowsCompatible

DWORD

ALL

Defines the Windows password complexity requirements.

AutoSelectSingleCertificate

DWORD

ALL

In case of smart card option, defines whether the list of valid and useable certificates on the smart card is shown (with selection option).

UsePoliciesFromService

DWORD

ALL

Defines if policies are fetched from service. Only one of these values must be “1”.

UsePoliciesFromRegistry

DWORD

ALL

Defines if policies are taken from registry (not from service) Only one of these values must be “1”.

Detailed configuration:

The root CA certificate including any intermediate certificates of the DPRS server must be present in the local computer store under Trusted Root Certification Authorities of the Windows 7 client.
Configure correct web service URLs in windows registry of the client in path HKEY_LOCAL_MACHINE\SOFTWARE\Atos\Password Reset Client keys EndpointUrl, EndpointURLExternal, and VerifyCorporateURL.
Server name in URL must match the server certificate DN used for SSL; given as fully qualified domain name (FQDN); names are case-sensitive.
This can be done via the reg configuration file.
Configure correct Root CA issuer name string in windows registry of the client (HKEY_LOCAL_MACHINE\SOFTWARE\Atos\Password Reset Client\RootCAIssuer).
This depends on the root CA issuer of the customer e.g. for Siemens the wildcard string is “Siemens”. The DPRC client checks if the issuer of the root CA certificate (must be in local computer store) contains this string (string compare is done both in upper case). This can be done via the reg configuration file.
Configure correct Root CA issuer name string in windows registry of the client (HKEY_LOCAL_MACHINE\SOFTWARE\Atos\Password Reset Client\ServerCertIssuer).
For example, for Siemens the wildcard string is “Siemens”. The client checks if the issuer of the server certificate contains this string (string compare is done both in upper case).
This can be done via the reg configuration file.
Using kiosk mode: set VPNOption, KioskModeOption, and ChallengesOption to 1 (and/or OTPOption), SmartCardOption to 0. This mode uses client-side SSL connection if connected to the Internet. So set the ClientCertificateSubject and ClientCertificateStoreName. For installing the client certificate and creating the store folder the utility DPRCCertUtil must be used.
Using pure credential provider mode: set VPNOption to 1, KioskModeOption to 0. ChallengesOption, OTPOption and SmartCardOption can all be set to 1 (or to 1 and 0). Smart card option does only work in corporate networks. This mode uses client-side SSL connection if connected to the Internet. So set the ClientCertificateSubject and ClientCertificateStoreName. For installing the client certificate and creating the store folder the utility DPRCCertUtil must be used.
The computer SID option can be used in both modes. This must be configured on both sides, DPRC and DPRS. In this case, DPRC is sending the long hostname and the computer domain name in each request. On the backend side this can then be verified. (It was intended to use the computer SID but then changed to hostname as the computer SID from the DC is not stored on the computer locally; the name of the registry key has not been changed).

DPRC Smoke Test

After DPRC is installed, logout or restart the system and press Switch user in the login screen. The DirX Password Reset logon tile should now be visible.

DPRC Troubleshooting

To resolve potential DPRC problems (no login tiles displayed) reboot in safe mode. The safe mode activates only the built-in credential providers and the logonUI is not influenced by any custom plug-ins. Then it is possible to login as usual and uninstall the DPRC application.

In case of errors, provide the log files DPRC located in C:\Windows\Temp (or path defined by system environment variable TEMP) or C:\Users\Public\DirX Password Reset Client:

AtosPasswordResetClient.log and AtosPasswordResetClient-bak.log.

The client alternates these log files.

In the registry the configuration is under the key HKEY_LOCAL_MACHINE\SOFTWARE\Atos\Password Reset Client

For more logging set LogLevel to DEBUG (default is INFO).

The installation writes entries in the application event log. Look for Sources “AtosPasswordResetClient” and “MsiInstaller”. For kiosk mode, two informational entries are created if successful. For pure credential provider, one informational entry is created. Otherwise error entries are created.

DPRC Known Issues

Smart card only: Clients and server machine should use time synchronization. If the client time (creation timestamp of request) is more than 60 seconds in the future compared to the server then the request will fail. Also note that a request expires after 300 seconds.

DPRC 3rd Party Software Licenses

NSpring

The NSpring Framework for .NET

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the NSpring project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission from the copyright owner.
No product derived from this software may be called "NSpring", nor may "NSpring" appear in the name of such a product, without specific prior written permission from the copyright owner.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Implementation Details

Smart Card Option

In the smart card mode the following sequence of requests are sent to the back end service:

GetPasswordPolicy
SetPassword
Status (one or more times)

The first two requests are signed with the selected smart card certificate. The Status request is not signed.

The following identifying attributes are sent in the signed requests:

Domain\account as ts.dxrtsdomainname\dxrname from user input OR
UPN as principalName from user input if this is given
Serialnumber from the smart card as serialnumber (not configurable)
RFC822 name from the smart card as user.mail (not configurable)
Hostname (long form) and computer domain name as computer.machineSID, computer.domain if ComputerSIDoption in registry is enabled (obtained via Win32 API functions).

The Status request just contains the syncRequestID from the SetPassword request. No part of any request is encrypted. In corporate networks server-side SSL/TLS protocol is used, in non-corporate networks client-side SSL/TLS protocol.

Smart card mode does not need any user entries in the provisioning domain just accounts. The GetPasswordPolicy request will return in this order if available the policy of the account, the target system, or the default policy.

Authentication Question Option

In the authentication question mode the following sequence of requests are sent to the back end service:

GetChallenges
CheckChallengeResponses (this contains in the response also the password policies)
SetPassword
Status (one or more times)

No request is signed.

The following identifying attributes are sent in the requests:

Domain\account as ts.dxrtsdomainname\dxrname from user input OR
UPN as principalName from user input if this is given
Hostname (long form) and computer domain name as computer.machineSID, computer.domain if ComputerSIDoption in registry is enabled (obtained via Win32 API functions).
Challenges and responses in the CheckChallengeResponses and SetPassword request.

Authentication question mode needs user entries in the provisioning domain. So the drxUserLink attribute in the account must be set and link to a user. The challenges and responses are stored at the user. The CheckChallengeResponses request will return in this order if available the policy of the user, the target system, or the default policy.

Mobile OTP Option

In the mobile OTP mode the following sequence of requests are sent to the back end service:

SendOTP (this contains in the response also the password policies)
SetPassword
Status (one or more times)

No request is signed.

The following identifying attributes are sent in the requests:

Domain\account as ts.dxrtsdomainname\dxrname from user input OR
UPN as principalName from user input if this is given
Hostname (long form) and computer domain name as computer.machineSID, computer.domain if ComputerSIDoption in registry is enabled (obtained via Win32 API functions).
OTP password in the SetPassword request.

Mobile OTP mode doesn’t need user entries in the provisioning domain. So the drxUserLink attribute in the account can be set and link to a user. The hashed OTP is stored at the account. The SendOTP request will return the policy in this order: if available the policy of the account, the target system or the default policy.

DPRS Configuration

DPRS Prerequisites

AD Target systems with imported AD accounts that should support the DPRC. If authentication questions mode is used then accounts must have a user link and the user should have configured authentication questions.
AD password reset workflows bound to the above target systems. The AD target system should for clustered set Password workflows have the connector configuration parameter “check_password_history” set to true (AD policy is observed).

DPRS Configuration

The server side configuration depends on the configured authentication mode scenario of the DPRC (smart card option, authentication questions option, OTP option). Depending on which mode is configured then you have to do the configuration according to this or these options.

General steps:

Configure provisioning servlet on Tomcat with SSL
In the Tomcat installation folder create a text file named dxi.cfg with the content:
*cache.update=*timestamp
Adjust the following configuration files under install_path\provisioningServlet\WEB-INF. See the “SPML Provisioning Web Services” in the Integration Framework Guide for more information:
accountContext.xml
applicationContext.xml
server-config.wsdd
config.xml
identifierMatcherConfig.xml
classes\crypto.properties and classes\password.properties
Configure the trust store path in install_path\provisioningServlet\WEB-INF\classes\crypto.properties (key name org.apache.ws.security.crypto.merlin.file). Ensure that the trust store contains the CA certificate (or chain of CA certificates) of the user’s certificate (smart card) used to sign the password reset requests. Key org.apache.ws.security.crypto.merlin.load.cacerts has to be set to false even if JRE cacerts is used.
Configure the trust store password in install_path\provisioningServlet\WEB-INF\password.properties as signatureTruststore=<password>
Uncomment the element tags for the WsTrustHandler in install_path*\provisioningServlet\WEB-INF\server-config.wsdd*
<handler type="java:com.siemens.idm.service.provisioning.wssecurity.WsTrustHandler" >
<parameter name="signatureIsOptional" value="true"/>
<parameter name="action" value="Signature Timestamp"/>
<parameter name="signaturePropFile" value="crypto.properties" />
</handler>
You must use signatureIsOptional=true even if just use smart card option. The status request in not signed in both options.
File install_path\provisioningServlet\WEB-INF\identifierMatcherConfig.xml has to be present and should contain match rules (security issue otherwise). The predefined match rules are email address and serialnumber (GUID).

Authentication questions steps:

Maintain the number of returned challenges in parameter "numberOfChallenges" <bean id="GetChallengesAccountsHandler"…,
in parameter "minimumNumberOfResponses" in section <bean id="CheckChallengeResponsesAccountsHandler"…,
and in parameter "minimumNumberOfResponses" in section <bean id="SetPasswordAccountsHandler"…
and in parameter "minimumNumberOfResponses" in section <bean id="GetPasswordPolicyAccountsHandler
in file install_path\provisioningServlet\WEB-INF\accountsContext.xml. The number must be the same in all sections.

Mobile OTP steps:

Configure the OTP parameters, like policy of the one-time password (character sets, length), time-to-live attribute, attribute name of the attribute which holds the mobile number, nationalization placeholder of content of text message in file install_path\provisioningServlet\WEB-INF\accountsContext.xml.
Configure the SMS gateway plug-in for the Send Text Message workflow.

If you use the smart card option, you need to copy the additional jar file xalan-2.7.1.jar to the folder install_path\provisioningServlet\WEB-INF\lib. The file xalan-2.7.1.jar is provided in the folder install_path*\provisioningServlet.org\endorsed\extralib*. Note that if you use the smart card option, you cannot use this deployment with this extra jar file for other non DPRC-specific SPML services.

Other Identity-related customizations are outside the scope of this document.