Configure and test the Password Reset connection to a credential store

You specify a credential store to access during the Password Reset or Password Change process and configure other settings that control the process.

Before you begin

Role required: password_reset_admin or password_reset_credential_manager

About this task

Note: The Password Reset Windows Application supports only Active Directory (AD) credential stores.

Procedure

  1. Navigate to Password Reset > Credential Stores.
  2. Click New, enter a unique and meaningful Name and Description, and then fill in the form.
    Type You can use credential store types (templates that provide a desired set of capabilities). Credential stores inherit the functionality of the credential store type.
    Note: The Password Reset Windows Application supports only AD Credential Store.
    Installed credential store types:
    • Local ServiceNow Instance installed with Password Reset.
    • AD Credential Store installed with the Orchestration Add-on.
    • Remote (SOAP) ServiceNow installed with the Orchestration Add-on.
    Auto-generate password Script include that generates a temporary password for use during the reset process.
    Note: If you select the Enforce history policy check box, then you must specify a value for Auto-generate password.
    Enforce history policy
    Note: This option appears only if you select a credential store Type of AD Credential Store.
    To enforce the history policy that is configured for the credential store:
    1. Select the Enforce history policy check box.
    2. Follow the procedure that appears after this table.
    Note: Active Directory domains can be configured to include a history policy that ensures that users do not reuse passwords. For example, the history policy might be configured to not allow the user to reuse any of the previous three passwords when resetting a password.
    Hostname URL or IP address of the credential store that contains the user credential (for example, user names and passwords).
    User account lookup Script include that maps the user ServiceNow platform ID to the user credential store ID. A default script, PwdDefaultUserAccountLookup, returns the user ServiceNow platform user name.
    Password rule hint Text that appears on the password reset page to help the user to create a password that meets all requirements. The Password rule script enforces the requirements.
    Note: The Password Reset Windows Application supports newline characters in the hint. Other formatting is not supported (bold, underline, hyperlink, and so on).
    Password rule Client script that validates the password that the user enters. The script is invoked when the user enters a new password and clicks Password Reset. You can use the script to enforce password strength/complexity requirements.
    Enable Password Strength Select the check box to:
    • Display the text box for the Strength rule script so you can update the script.
    • Display the graphical Password Strength bar to the user while the user changes or resets the password.
    Note: The Password Reset Windows Application does not support Password Strength.
    Strength rule This text box appears only if you select Enable Password Strength.
    Note: The Password Reset Windows Application does not support Password Strength.

    Client script that calculates the strength/complexity of the password that the user enters. The script is invoked when the user begins to enter a new password during the reset process.

    Default settings:
    • Selected for local ServiceNow credential stores
    • Not selected for other credential stores
    Note:

    To guide the user during the reset process, the system displays a graphical bar labeled Password Strength under the New password field.

  3. Click Submit.
    The connection is created. You should test the connection to a credential store after you configure a new credential store or when users experience problems that might involve the connection.
  4. Navigate to Password Reset > Credential Stores and then open the credential store.
  5. In the header bar, click Save and Test Connection.
    A progress page displays the result of the test.

What to do next

If you selected the Enforce history policy check box, then follow these steps:
  1. Open the associated Password Reset process definition: Password Reset > Processes.
  2. On the Details tab of the Password Reset Process form, clear the Auto-generate password check box and then save the process definition.
  3. On the domain controller, set Password Aging (MIN_PASSWORD_AGE) to zero.
  4. On the domain controller, set the history policy to twice the desired number of passwords. For example, to enforce that the last three passwords are not repeated, set the history policy to six.
    Note: To enforce the history policy that is configured for the credential store, the system auto-generates a new temporary password for each reset cycle. The system auto-generates the temporary password even though you have cleared the Auto-generate password check box on the Password Reset Process form. Because the user immediately replaces the temporary password with a new password, two passwords are created for each reset cycle.