How to Change the ExCM Forgot Password recovery option from Q&A to Email (Automated Method)

When using ExCM you can disable the default security question-based reset user password dialog and instead turn on the email-based reset password option.  This document walks through the process using the new automated feature that has been introduced in ExCM 2016 version  or later  and ExCM 2019 version      or later.

 

(Note: For older versions of ExCM 2016 and ExCM 2019 you will need to follow the documentation for the manual method of making the changes.)

The new automation options are on the Password Policy page in General Application Settings:

 

 

 

Once the Password Policy page is loaded, select the extranet web application and the extranet membership provider that these changes are to be made to:

 

 

 

Once a membership provider is selected, the radio buttons in the new Self-service Password Reset Option section will be usable. By default, the Q&A option will be selected, but selecting “Send system-generated new password via email” and clicking the OK button will make the same changes (within 5 - 10 minutes) to the web.config that were previously done manually.

 

Below you will find the expected changes that users will experience, once the password reset has been changed from the question and answer to the email setting. After the user clicks the “Forgot your password?” link the “Reset My Password” page will ask for the user’s email address, then they will need to click next.

 

 

 

 

 

Once the user enters an email address and clicks next, they will see the confirmation page that looks like this:

 

 

If the email entered is for a valid external user, that user will receive an email with a new system-generated temporary password:

 

 

 

If the email entered is invalid (ie. the email address entered is NOT for a valid external user), no email will be sent.

 

Once the external user has received the email with the new password, they can either click the Continue to Login button on the confirmation page, or navigate back to the sign in page as they normally would. Then they would enter their user name and new temporary password to log in.

 

Upon successful login with the temporary password, the user will be automatically redirected to the “Change My Password” page where they will need to use the temporary password and create their own new password before clicking Finish:

 

Warning: the Change My Password page is located in SharePoint's "Layouts" folder in the 15/16 hive of the server.  Pages in that location require that a user is authenticated and has at least Visitor permissions to load.  And, the redirect to this page initially redirects the user to the root site collection of the web application in order to load this page.  For that reason, it is necessary to add a special role, typically "All Users (Ext)", to the Visitors security group in the root site collection before external users are able to access this page.  Please see the next section for more details and how the root site collection needs to be configured.

 

 

 

 

At this point, the user will be redirected away from the root site collection and on to the specific extranet site that they were initially trying to access.

 

 

Ensuring that external users have access to the Change My Password page:

 

When switching from security question-based password reset to email-based password reset, ExCM requires the external user to change from the temporary password on the first login with it.  It does this by first redirecting to the root site collection of your extranet web application - for instance, https://extranet.mycompany.com/.

 

Because of this one-time redirection logic, it is necessary that all external users have Visitor permissions to your root site collection.  If they do not have those permissions, they will receive an "Access Denied" message when the Change My Password page tries to load.

 

Here is how to give all external users Visitor permissions in your root site collection:

 

First, navigate to the root site collection in your extranet web application.

 

Then, logged in as a Site Collection Administrator:

 

 

 

Find the Visitors group in the list on the left and click on it:

 

 

Once there, add a New User to the group:

 

Add the "All Users (Ext)" role to the group:

 

 

 

 

 

Note:  In the screenshot above the extranet membership provider shown has a non-standard name (ExtMembership-ED1).  In most cases your extranet membership provider name will be "Ext" if you set up your extranet following the our normal recommendations.

Now, all of your external users will have access to the Change My Password page when it is loaded from the root site collection.

 

Finally, it is recommended from this point forward that your company considers the root site collection as "off limits" for storing any content that you want to keep private in any way, since you have given all of your external users Visitor permissions to it.  One approach would be to not give any internal users (employees) permissions to the site.  If they don't have permissions, then they can't add content to the site.    Another approach would be to treat the site as a read-only extranet landing site (you can grant Visitors access to "domaindomain users" and "All Users (Ext)" and all domain users and external users will have read-only access to the site)  that is used as a directory or jumping off place to go to other extranet sites, but it would not contain any other content besides a home page.
Create your own Knowledge Base