Complete Password Management Cycle for SharePoint

Allow me to introduce you to Bamboo's password trio -

Password Change Web Part: Very similar to Microsoft Windows based Change Password interface.

By default, the currently logged in user is automatically entered for Domain and Account fields.  The user then enters their current password along with their new password.  On the right side of the Web Part, the SharePoint administrator can define helper text to be displayed to the end user.  In this case we wrote the password policy rules along with a contact for further assistance.  The final component of Password Change Web Part is the text on the bottom of the page.  This text displays two components; when the current password will expire (currently shown), and how long the user has to wait till they can change their password again (not shown).  The first component of the text is driven based on Maximum Password Age as defined in the user store.  The second component is based on Minimum Password Age as defined in the user store.

Password Expiration Web Part:  is a proactive product that informs users if their current password is about to expire soon.  There are 3 modes of the product -

• NT Scheduler that runs an NT Service in the background against Active Directory to locate all users that have passwords about to expire and then send an e-mail notifying them to change their passwords soon.
• Web Part has 2 other modes
  • Text notification on a Web Part Page.  You can add the Web Part to a Web Part Page (for example, the Home page of the SharePoint Portal) and when the password is about to expire in x days, display a text informing the user of the expiration.  You can also provide a link to a Web Part Page that contains the Bamboo Password Change Web Part to allow the user to change their password prior to the expiration.
  • Immediate user redirection of the user:  Some users, like me, are very stubborn and will wait to the very last moment before changing their password.  To help alleviate chances of the password expiring prior to changing it, you can configure the Web Part to automatically redirect the user to Password Change Web Part if their password expires in x days.

Password Reset Web Part: Provides the ability to allow users to reset their own passwords based on one of the following 2 options; E-mail confirmation or Security Questions.

• When driving the Password Reset Web Part in E-mail Confirmation mode, the user will be presented with the following interface:
  
  Here the user would enter their user name and their e-mail address that matches with the e-mail address configured in SharePoint.  When they click Submit, an e-mail confirmation is sent to the provided E-mail address.  Inside the body of the e-mail is a confirmation link the user would click.  The Password Reset Web Part would send a final e-mail to the same address that contains their new password.
  
• When driving the Password Reset Web Part in Security Question mode, the user will be presented with the following interface:
  
  The user would enter their user name then answer each question asked.  The SharePoint Administrator can define up to 3 questions to display to the end user.  The answers are then compared to defined Active Directory attributes.  If the user answered all the questions correctly, then the Web Part will display the new password on the screen.  This is useful for companies that use their Exchange accounts to access SharePoint also.

Now that I introduced the password trio to you, let me explain how you can have them work for you!  One of the biggest headaches that the Solutions Group hears from the IT Admins is that SharePoint does not handle passwords that have expired or forgotten passwords.  In both cases, when the user tries to login, they are prompted three times for login credentials and then sent to a standard IIS 401.1 error page that says You are not authorized to view this page.  No interface saying they entered an invalid user name or password, or message saying their password expired, so what do they do, they call helpdesk.  As a result many companies has removed the Maximum Password Age for their external users, to their dislike.

Building a Password Management Solution 

Utilizing the power of our password Web Parts mentioned above, Bamboo has developed a system to make end users more self sufficient, reducing the load on IT Admins.  The methodology is that the standard IIS 401.1 error page would be substituted with a custom HTML page.  When the user fails to login due to either incorrect user name/password or their password has expired, they can click on a link to either reset their password or change it.  Below I will describe the process of creating a complete password management solution:

1. The first step is to create a SharePoint site that has anonymous access turned on.  This can site can exist in either an existing Web Application or an independent Web Application.  The anonymous site will provide access to both the Password Change Web Part and Password Reset Web Part to all users even though they are unable to login.  See this link for more details on creating an anonymous site http://technet.microsoft.com/en-us/library/cc263363.aspx.
2. The next step is to create 2 Web Part Pages in the anonymous site.  On the first page you will add the Password Reset Web Part.  When configuring the Web Part, refer to the application notes of Password Reset Web Part on how to configure it, but one item to note in particular is if you are running the Web Part in E-mail confirmation mode.  In order for the Web Part to confirm who you say you are, it needs to connect to a user list.  Since the anonymous site does not contain your user's profiles, you need to tell the Web Part where to look instead.  In the Web Part tool pane, there is a field called Web Service URL
   
   The provided URL allows us to access the SharePoint User and Group web service.  Notice in the example URL above that there are 2 major components, http://localhost and /_vti_bin/UserGroup.asmx.  The component http://localhost is the path to your main SharePoint site excluding the .asmx page (commonly default.asmx).  The /_vti_bin/UserGroup.asmx is the web service path, simply append this to your SharePoint site path.
3. After successfully configuring Password Reset Web Part on one of the Web Part Pages, add Password Change Web Part to the other Web Part Page.  Utilizing the application notes that accompany the product, configure Password Change Web Part to your desire.
4. The next step is to create a replacement landing page for the users to hit instead of the standard IIS 401.1 error page.  This replacement landing page is an HTML page.  I have attached to this blog a visual example in a PDF document (the attachment can be found at the bottom of this blog called Landing Page.PDF).  After you have built your replacement landing page, do the following steps -
   1. Move the HTML page and all referencing files to some location on the SharePoint Front End Web Server.
   2. Open Internet Information Services (IIS) Manager, expand Web Sites folder then right click on the SharePoint site where the users are attempting to log into (commonly SharePoint - 80) and select Properties.
   3. In the Properties window, select the tab Custom Errors and select the row where HTTP Error is 401;1 as shown below
      
   4. Click on the button Edit and browse to the location of the htm or html file that you created for the landing page.
      
   5. Say OK to the Edit Custom Error Properties window and the Properties window.
   6. Reset IIS.
5. If you are planning to set a Maximum Password Age on the users' password, we suggest you implement Password Expiration Web Part on the home page of the SharePoint site.  When the users hit the page, based on the configuration of the Web Part, they will see when their password will expire and a link to the Web Part page where Password Change Web Part exists.
   

You have now created a complete password management solution!