Configure the connection to a credential store

You specify a credential store to access during the password reset or password change process and other settings that control the process.

Before you begin

Role required: password_reset_admin or password_reset_credential_manager

About this task

Note: The Password Reset Windows Application supports only Active Directory (AD) credential stores.

Procedure

  1. Navigate to Password Reset > Credential Stores.
  2. Click New, enter a unique and meaningful Name and Description, and then fill in the form.

Field Value
Type

You can use credential store types (templates that provide a desired set of capabilities). Credential stores inherit the functionality of the credential store type.

Note: The Password Reset Windows Application supports only AD Credential Store.
Installed credential store types:
  • Local ServiceNow Instance installed with Password Reset.
  • AD Credential Store installed with the Orchestration Add-on.
  • Remote (SOAP) ServiceNow installed with the Orchestration Add-on.
Auto-generate password Script include that generates a temporary password for use during the reset process.
Note: If you select the Enforce history policy check box, then you must specify a value for Auto-generate password.
Enforce history policy
To enforce the history policy that is configured for the credential store:
  1. Select the Enforce history policy check box.
  2. Follow the procedure that appears after this table.
Note: Active Directory domains can be configured to include a history policy that ensures that users do not reuse passwords. For example, the history policy might be configured to not allow the user to reuse any of the previous three passwords when resetting a password.
This option appears only if you select a credential store Type of AD Credential Store.
Hostname URL or IP address of the credential store that contains the user credential (for example, user names and passwords).
User account lookup Script include that maps the user ServiceNow platform ID to the user credential store ID. A default script, PwdDefaultUserAccountLookup, returns the user ServiceNow platform user name.
Password rule hint Text that is displayed to the user to help the user to create a password that meets the requirements that the Password rule script enforces.
Note: The Password Reset Windows Application supports newline characters in the hint. Other formatting is not supported (bold, underline, hyperlink, and so on).
Password rule Client script that validates the password that the user enters. The script is invoked when the user enters a new password and clicks Password Reset. You can use the script to enforce password strength/complexity requirements.

  1. Click Submit.

What to do next

If you selected the Enforce history policy check box, then follow these steps:
  1. Open the associated password reset process definition: Password Reset > Processes.
  2. On the Details tab of the Password Reset Process form, clear the Auto-generate password check box and then save the process definition.
  3. On the domain controller, set Password Aging (MIN_PASSWORD_AGE) to zero.
  4. On the domain controller, set the history policy to twice the desired number of passwords. For example, to enforce that the last three passwords are not repeated, set the history policy to six.
    Note: This is why you must set the history policy to twice the normal value: To enforce the history policy that is configured for the credential store, the system auto-generates a new temporary password for each reset cycle. The system auto-generates the temporary password even though you have cleared the Auto-generate password check box on the Password Reset Process form. Because the user immediately replaces the temporary password with a new password, two passwords are created for each reset cycle.