Configuring Windows 2012 server to enable Active Directory password reset

To enable users to reset their passwords, you must configure the Windows 2012 server as a Certificate Authority (CA). After the server is configured as a CA, it enables the FootPrints server to address the password reset request raised by the customer and the system administrators to fulfill the password reset request. For more information, see Configuring-password-reset.

BMC recommends that you install the stand-alone CA on a member server or a domain controller on your internal network. This enables the stand-alone CA’s certificate to be placed automatically into the Trusted Root Certification Authorities certificate for all users and computers.

After you configure the Windows server to authenticate, to configure Windows 2012 server a CA so as to enable user to reset password, perform the following procedures:

  1. Installing Microsoft Internet Information Services World Wide Web Service
  2. Installing Microsoft Certificate Services
  3. Requesting a certificate
  4. Exporting a certificate

Installing Microsoft Internet Information Services World Wide Web Service

Perform the following steps to install IIS7 on the Windows Server 2012 computer. The computer can be a standalone server, a member server in an Active Directory domain, or a domain controller.

  1. Navigate to Start > All Programs > Administrative Tools > Server Manager.
  2. From the Manage menu, select Add Roles and Features.
  3. On the Installation Type section, select an appropriate option:
    • Role-based or Feature-based Installation
    • Remote Desktop Service Installation
  4. In the Server Selection section, select the appropriate server to install roles and features.
  5. In the Server Roles section, select Web Server (IIS) and click Next.
  6. In the new pop-up window, select the Include management tools (if applicable) check box, click Add Features and then click Next.
  7. In the Web Server Role (IIS) section, click Next.
  8. To select roles to install, click Next.
  9. Select the Web Server (IIS) check box in the list.
    The Add Roles Wizard notifies you of any required dependencies; since IIS depends on the Windows Process Activation Service (WAS) feature, a pop-up window is displayed.
  10. Click Add Required Role Services.
    Note: Alternatively, the button might be labeled as Add Required Features.
  11. In the Features section, select the appropriate features that you want to install and click Next.
    Some features and services might be preselected.
  12. An introduction to the Web Server is displayed. Click Next to continue.
    The wizard shows a list of IIS7 features/services available to install. Some features/services might be preselected.
  13. In the confirmation screen, a list of selected settings is displayed. To proceed with the installation, click Install.
    After the installation is complete, an Installation Results page is displayed. Click Close to conclude the installation of IIS7.

Installing Microsoft Certificate Services

  1. Log on as a domain administrator at a member server or domain controller in your internal network.
  2. Navigate to Start > All Programs > Administrative Tools > Server Manager.
  3. From the Manage menu, select Add Roles and Features.
  4. In the Server Roles section, select Active Directory Certificate Services option and click Next.
  5. In the Role Services section, select Certification Authority Web Enrollment and click Next.
  6. In the Confirmation section, click Install.
  7. After the installation is complete, open the Server Manager, click Server_installation_icon.gif.
  8. Click Configure Active Directory Certificate Services on the server and then click Next.
    Configuring_active_directory.gif
  9. In the Roles Services section, select Certificate Authority and Certificate Authority and Web Enrollment check boxes, and click Next.
  10. In the Setup Type section, select the Enterprise CA option and click Next.
  11. In the CA Type section, select the Root CA option and click Next.
  12. In the Private Key section, select the Create a new private key option and click Next.
  13. In the Cryptography for CA section, you can configure the optional configuration settings, such as including cryptographic service providers. However, for this purpose you can accept the default values and click Next.
  14. In the CA Name section, in the Common name for this CA, accept the default value or type a common name. The Distinguished name suffix is populated with a default value. To continue, click Next.
  15. In the Set Validity Period section, accept the default value or choose a different period and click Next.
  16. For the CA Database section, specify a location or accept the default value. Click Next to display the confirmation page.
  17. Click Configure.
  18. To conclude the installation of certificate services, click Close.
  19. To install the Online Responder service, perform the following steps:
    1. Navigate to Start > All Programs > Administrative Tools > Server Manager.
      The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding the revocation status requests for specific certificates and sending back a signed response containing the requested certificate status.
    2. From the Manage menu, click Add Roles and Features.
    3. From the Server Roles, click Active Directory Certificate Services and select the Online Responder check box and click Next.
    4. In the confirmation section, click Install.
    5. To conclude the installation, click Close.

Requesting a certificate

  1. Navigate to Start > Run.
  2. Type mmc and click OK.
  3. From the File menu, click Add/Remove Snap-in and click Add.
  4. From the Available Snap-ins list, double-click Certificates.
  5. In the Certificates snap-in window, select the Computer account option and click Next.
    This snap-in manages the certificates for the local computer.
  6. In the Select Computer window, select the Local computer option and click Finish,
  7. Click OK.
  8. In the console tree, navigate to Certificates (Local Computer) > Personal.
  9. To start the Certificate Request Wizard, from the Actions menu, navigate to More Actions > All Tasks > Request New Certificate.
  10. On the Request Certificates screen, click Next.
  11. Select Domain Controller Authentication option and click Enroll.
  12. On the Certificate Installation Results window, click Finish.

Exporting a certificate

  1. Navigate to Start > Run.
  2. Type mmc and click OK.

  3. From the Certificates console, expand Personal, and click Certificates

    In the window, certificates appears. The first certificate, that has the Intended Purposes of

    <All>

    needs to be exported.

  4. Click on the certificate to highlight, and then from the Actions menu select All Tasks > Export.
  5. On the Certificate Export Wizard window click Next.
  6. Ensure that the No, do not export the private key option is selected and click Next.
  7. Select the BASE-64 encoded X.509 (.CER) option and click Next.
  8. Select a path and file name for the certificate, click Next.
  9. Click Finish.

Related topics

Configuring-password-reset

Requesting-password-reset

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*