Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7427: Configuring Self-Service settings in Cloud Manager

Centrify Identity Service, App Edition ,   Centrify Identity Service, App Plus ,  

1 September,16 at 05:44 AM

Applies to: Centrify Identity Service, App Edition

Question:

How can I configure Self-Service settings for password reset & account unlock in Centrify Identity Service?

Answer:

Self-Service account unlock and password reset can be configured by using the "Self-Service" user security policy in Cloud Manager.  To configure this policy:
  1. Navigate to Cloud Manager > Policies > select a policy, or create a new one > User Security Policies > Self Service
    1. Password Reset:
      1. To enable password reset, click the box next to "Enable password reset", and configure the necessary options:
        1. Allow for Active Directory Users:
          1. This checkbox enables the feature for AD users
        2. Only Allow from browsers with identity cookie:
          1. his checkbox prohibits password reset from browsers that haven't been used to access the Identity Service previously. 
        3. Password Reset Authentication Profile:
          1. This setting determines which profile is going to be used to preform the password reset function.  Authentication profiles specify which factors can be used to reset a password.  (IE: Phone call, SMS, Mobile Authenticator, Email etc.)  Either select an existing profile, or create a new one for this purpose. 
    2. Account Unlock:
      1. To enable account unlock, click the box next to "Enable Account Unlock", and configure the necessary options:
        1. Allow for Active Directory Users:
          1. This checkbox enables the feature for AD users
        2. Only Allow from browsers with identity cookie:
          1. his checkbox prohibits account unlock from browsers that haven't been used to access the Identity Service previously. 
        3. Account Unlock Authentication Profile:
          1. This setting determines which profile is going to be used to preform the account unlock function.  Authentication profiles specify which factors can be used to reset a password.  (IE: Phone call, SMS, Mobile Authenticator, Email etc.)  Either select an existing profile, or create a new one for this purpose. 
    3. Active Directory Self Service Settings:
      1. This setting is required for self-service to work with Active Directory users.  This setting specifies which credentials are going to be used to perform the self-service function in Active Directory.  Without configuring these settings, self-service for AD users will fail.  There are two options that can be used:
        1. "Use cloud connector running on privileged account":
          1. By default, upon installation of the cloud connector, the Centrify cloud connector service is run as "Local System" on the server it's installed on.  This account does not have the proper permissions to preform self-service actions.  There are two ways to grant the connector proper permissions:
            1. Specifying an alternate account to run the cloud connector service:
              1. Navigate to the server that the cloud connector is installed on.
              2. Click Start > Run > and type "services.msc"
              3. Find the Centrify Cloud Connector service > Right Click > Properties > Log On Tab
              4. Click the radio button "This Account", and enter in credentials to an account with proper permissions
              5. Restart the Centrify Cloud Connector service
            2. Granting the local system rights to preform self-service actions:
              1. Create a security group in Active Directory
              2. Grant the security group the necessary permissions to preform self-service actions
              3. Add the connector's computer object to the security group in Active Directory
              4. Restart the Centrify cloud connector service
        2. "Use these credentials":
          1. Enter in credentials to an AD account that has proper permissions to preform self-service actions.
Additional Considerations: Note: The above links are provided as a courtesy, and are not managed by Centrify.
  • As a best practice, always embrace Least Access/Privilege management, by not granting more rights than what's required to preform a specific action.
Additional Resources:
  • To see a video on configuring self-service account unlock, please see this Centrify Community Article:
    • http://community.centrify.com/t5/Community-Tech-Blog/Video-Centrify-Identity-Service-Tech-Tip-Enable-Self-Service/ba-p/22393
  • To read more about the self-service settings or authentication profiles, please see the Cloud Manager documentation here:
    • https://docs.centrify.com/en/centrify/adminref/index.html?version=109#page/cloudhelp%2FScenario_selfService.2.html

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.