How to Perform Self-serve Password Reset using the Windows Login Integration Client – Pleasant Password Reset Server

This feature is very vital when you have completely logged off your Windows PC and would like to reset it.

Here are the steps to have this completed.
– Install the Windows Login Integration Client
– After successfully installing this application, this functionality will be displayed close to your username on the logon screen “Password Reset”.

– Click on the Password Reset button as shown in the image above. This will prompt a web page as shown below.
– Simply disregard the certificate warning and click on continue to proceed.

– Here enter your Domain username and click on proceed to the Security Questions

– As shown below, give the answers to the Challenge Certificate setup by you during the enrolment process.

Note: At least two minimum correct answers are required.

– Simply click on save ONLY in this step below and proceed to the next step.

– Enter the digits from Microsoft Google Authenticator as shown below and click on save.

– This will display a new Password Change window as shown below.

Enter the new Password

– Click on Password Change. After a successful password change, the following screen below will be displayed.

Note: To have the Password changed, you must be in compliance with the Password Policy. Also bear in mind you cannot change your password twice within 24 hours. This is due to the configured GPO.

How to Perform Self-Service Password Reset Enrolment – Pleasant Password Manager

Before proceeding to have your password reset, Users must first enroll in order to use the Self Service Active Directory Reset.

Users are not considered enrolled until they have fully set-up the Two Factor Authentication (2FA) and must have answered all the reset challenge questions as well. When you are logged in and currently not enrolled, the following link (banner) will be displayed as shown below.

Reset User Self Enrolment

Kindly follow these steps to complete your enrolment.

  1. Click on this link and complete your enrolment.
  2. Setup Two Factor Authentication (2FA)
  3. answer and Challenge-Response questions)

Note: After completing these tasks and you wish to update your basic Information, Challenge questions and also have your Two-Factor Authentication changed (modified), Please follow the steps below by

  • Clicking on your username
  • Click on Manage Account from the drop-down list.

User Enrolment

Upon logging in with your Active Directory User Account, the following banner will be displayed as earlier discussed.
– Click on the link as shown below

– This will open up the required configuration window as shown below.

– Click on enable two-factor provider and click on configure as shown below. Note: This step has to be completed first before proceeding to answer the challenge questions or else it will fail.

  • Currently, the Two-factor Authentication status shows Disabled. Click on Configure as shown above and enter the Configuration QR Code in your desired Authentication App.

    Here I am using the Microsoft Authenticator, you can also use Google Authenticator etc.,

Note: You need to have any of this Authenticator already installed to perform this operation. Here are the steps for setting up Microsoft Authenticator. If you already have this setup, kindly skip this part.

- Launch the Microsoft Authentication App
- Tap the three dot menu button and 
- Select Add Account
- Click on Other accounts (google, Facebook, etc.,), 
Since we do not have the QR code to scan we will have to type this in manually.
- Click on Enter the Code Manually.
- Set the Account name: 
Enter the “The Secret Key”: This is the value for this user as shown in the image above ENXXXXXXXXXXXXXXXXXXXX2E4TM
- Click on Finish. If successful, this message will be displayed.

Next, enter the 6 digits token generated from the Microsoft Authentication App as shown below

– Next click on Verify. This will display the next window below showing the Authentication Application is Configured Correctly and the status changed from Disabled to Enabled.

Next would be to set and answer the Challenge Questions (currently configured to have at least two minimum questions answered out of the three questions).

  • Enter your desired answers as shown in the below
  • Then click on Save.

Now you are fully enrolled as a Reset Password User and can now reset your password using any of the steps discussed in the next chapter (below).
Also, this will eradicate the warning displayed as not enrolled yet.

Pleasant Password MS-MSQL SSO

The MSSQL SSO Server allows users to access SQL Server databases through SQL Server Management Studio without the password ever being on their machine.

Steps in implementing this for MSSQL SSO Server

  • Ensure this function is turned on the Password Server
  • Click on SSO Server
  • Click on SSO Status
  • Switch on the MSSQL SSO Server by click on MSSQL SSO Server and turning it on.

Follow these steps for further setup as documented in the link below. (I did not implement this functionality further as it wasn’t applicable to me because I was using username and password to access our database instances. https://info.pleasantsolutions.com/Documentation/Pleasant_Password_Server/H._Proxy_Server/MSSQL_SSO_Server

This was not resolved because connection seems to work but the authentication method I tried to use is not supported by the database instances and therefore did not work. I was trying to connect using Domain Account and this was not supported.

Microsoft Authenticator Setup

Download and install an authenticator app from your mobile device’s app store. Some options include Google Authenticator, Microsoft Authenticator, and Authy.

Set up a new account using the QR code, verify the configuration by entering the code that the authenticator app provides. Press the Verify button before the code expires

Note: You need to have any of these authenticators already installed to perform this operation. Here are the steps for setting up Microsoft Authenticator. If you already have this setup, kindly skip this part.

- Launch the Microsoft Authentication App
- Tap the three dot menu button and 
- Select Add Account
- Click on Other accounts (google, Facebook, etc.,), 
- Since we do not have the QR code to scan we will have to type this in manually.
- Click on Enter the Code Manually.
- Set the Account name: Here I used PleasantReset
- Enter the “The Secret Key”: This is the value for this user as shown in the image above ExxxxMKxxxxxxxxxx2xxxxxM
- Click on Finish. If successful, this message will be displayed.

Errors associated with Pleasant Password RDP SSO and SSH SSO

Error One:
Wrong username or password when authenticating with the target server are:

Solution
I was connected to the password server with a different credential (Administrator) and I wanted to open or initiate an SSO RDP connection with my Username. This did not work as it tried using the default administrator credential

- What I did was to logout the Administrators account
- Logged in with my regular account 
- Tried initiating an RDP connection and this worked

Second error: Claims regeneration because mismatch detected

There are a whole lot of answers to this problem but trust me in this case, they are not applicable.

Explanation: This error means, that on the server you are trying to connect to has NLA activated.
– Unfortunately the RDP protocol version used in PPS is not supporting NLA. So you would need to switch of NLA on the destination server in order to be able to connect.

Solution: I resolved this issue by using the default port of 7070 and not the RDP default port of 3389.
Note: You make to create firewall rules in the VM and also on the firewall to allow this connection.

Using Pleasant Password RDP SSO

Step 1: Install the RDP SSO client and SSO Server Root Certificate prior to connecting to the RDP SSO Server, you must first install the “SSO Server Root Certificate” and the “RDP SSO Client”

The SSO Server Root Certificate” is needed to avoid browser warnings and errors when connecting to https sites.
– Download and install this certificate as a Trusted Root Certification Authority.
– Also, the RDP SSO server can be accessed by downloading and installing the RDP SSO client.

These two setups (installers) can be found under
– SSO Server in the menu bar
– Navigate and click on SSO Server Status and
– Download both “SSO Server Root Certificate” and the “RDP SSO Client”
– Then install on your work station.

Note: To install the SSO Server Root Certificate “ProxyRoot Certificate”, you may require the elevated administrative right.
– After a successful installation, ” A successfully imported certificate dialog window will appear).
– Under the certification path of the Certificate installed, (it will show certificate not trusted because this has not been placed in the Trusted Root Certification Authority).

While placing this certificate in a certificate store you will be prompted with the following security warning “that you are trying to install the certificate from a certification authority (CA) claiming to represent bla bla bla 🙂

Click on yes to proceed. The certificate will be successfully imported and the error warning will give way.

Open your MMC console and place copy the certificate from the Personal Store and place it also in the “Trusted Root Certification Authority”

Note:
– If you type MMC from the search window and you cannot find it.
– Click on run
– Type MMC and hit enter (This will open up the MMC console)

Note: This has to be installed on every client workstation (PC) that will be using the SSO Server.

Note: The RDP SSO Client can be download here: http://downloads.pleasantsolutions.com/download/PasswordServer/7.9.21.0/PleasantRdpSSOClient.exe

You may require elevated privilege to have this installed.

Note: Ensure your browser settings are configured correctly.

Follow the steps here to test your SSO connection to a server

https://info.pleasantsolutions.com/Documentation/Pleasant_Password_Server/H._Proxy_Server/RDP_SSO_Server
https://info.pleasantsolutions.com/Documentation/Pleasant_Password_Server/H._Proxy_Server/Security_Permissions

Pleasant Password Server User Guide

There are basically two ways of using the Password Server. Which are as follow:

  1. By using the Web URL or
  2. By using KeePass Desktop Client for Pleasant Solutions

Accessing Pleasant Password Using the Web URL

Here is the URL to the web interface: https://xxxxxxxxxxxx:

Once logged on, you are granted access to the password resources based on your job role and these steps are very straight forward.

  • Access the URL
  • Enter your login credentials as shown below and click on sign in.
  • You will be requested to enter your token from the Microsoft Authenticator or any of the Authenticators.
  • And click on sign in. This will open up the Pleasant Password Server Web interface to the allowed Password Resources you are allowed to access.

KeePass Desktop Client for Pleasant Solutions

If you are familiar with KeePass, you can connect to the Password Server as well by using the KeePass Desktop Client for Pleasant Solutions. Here are the steps for Installing and Using the KeePasss Desktop Client for Pleasant Solutions.

  1. Install KeePass Desktop Client for Pleasant Solutions
  2. Start KeePass Desktop Client as shown below
  • Enter your username and password.
    Note: Access to Folders
  • Enter the following URL in the Server text box:
  • Click on login
  • Accept the SSL error (This will be fixed very soon) by clicking on YES

This will now request for the token configured, this can be found in the Microsoft or any of the Authentication Apps used

Then you are granted access to the Password resources on the server. The image below is the User Interface that will be displaced.