Ensure Self-Service Password Reset Pages Always Work

Note:  Some SharePoint farms seem to have problems that require the changes shown in this article; other farms do not.  If ExCM's password reset features work out-of-the-box in your farm, there is no need to make these changes in your farm.
Tip: In order to make the changes below, you will have to have previously enabled anonymous access settings for your web application (see Step 3 on the Configure the Extranet Web Application page ).  If you did not previously enable anonymous access settings for the web application, you will need to do that first.

 

ExCM includes a few custom ASPX pages that need to be used by external users when they have forgotten their password.  Here is an example of one of those pages:

 

Extranet Collaboration Manager Reset My Password

 

Due to the fact that the external user is not logged in when they need to access these pages, the pages need to be able to be accessed anonymously, which is not something that is enabled by default when you create a new web application in SharePoint Central Administration.

 

Before explaining how to set this up correctly and securely, let's discuss the concept of Anonymous Access in SharePoint and clear up any misunderstandings, if there are any.

 

Anonymous Access Settings in SharePoint

Like many settings in SharePoint, the ones related to allowing Anonymous Access have many levels of granularity.  Anonymous Access settings can be set at the web application level, the site level, and the list and library level.

 

For the ExCM self-service password reset pages to be accessible without being logged in (the condition of the external user who has forgot her password), it is first necessary to enable "the possibility" of granular Anonymous Access settings for a web application.  This is done on the Authentication settings page for your extranet web application:

 

SharePoint Authentication settings page for extranet web application

 

You might be asking, "isn't this a security risk?  I have now enabled Anonymous Access for my entire web application?".

 

The answer is "no".  Read the description to the left of the check box.  What you have done is merely allowed for the ability to enable Anonymous Access granularly on objects (sites, libraries, lists) in the web application, but you have not actually granted Anonymous Access to any of those objects by checking this box.

 

Once you save this page, if you stop here and do no further configuration, NONE of the content in your web application will be accessible anonymously - rest assured.  But, the ExCM self-service password reset pages will not work properly either, if your farm has the problem this procedure solves.

 

Configuring the Minimum Amount of Anonymous Access so that the Self-Service Pages Work

Now that you have configured the web application to allow granular settings related to Anonymous Access, is there a safe way to make the ExCM Self-Service pages (password reset pages) work without opening a security hole?

 

The answer is "yes".

 

First, the password reset pages "live" at the URL of the root site collection of your extranet web application.  So, for instance, if your root site collection is at https://extranet.company.com, the URL to the page that a user can use to retrieve a forgotten password will be:  https://extranet.company.com/_layouts/15/SPSolutions/ExCM/ResetMyPassword.aspx.

 

As pointed out above, an external user who has forgotten her password, will not be already logged in, so she needs to be able to load this page when not logged in.

 

The way to allow this is to enable Anonymous Access on the root site collection, but only for "Lists and Libraries".  Here is how you configure that:

 

  1. Signed in as a Site Collection Administrator on your root site collection for your extranet web application, navigate to Site Actions > Site Settings > Site Permissions and click Anonymous Access in the Ribbon:
    SharePoint Anonymous Access settings for password reset
  2. Change the Anonymous Access setting to "Lists and Libraries" and click OK:
    SharePoint Anonymous Access for Lists and libraries
  3. Now test out accessing your root site collection but don't log in.  Instead, click on the "Forgot Password" link and go though the process of resetting the password for a test external user.  You should be able to complete the process and reset your password even though you weren't logged in.

 

Finally, it is recommended from this point forward that your company considers the root site collection as "off limits" for storing any content that you want to keep private in any way, since you have enabled Anonymous Access on libraries and lists in that site.  One approach would be to not give any internal users (employees) permissions to the site.  If they don't have permissions, then they can't add content to the site.    Another approach would be to treat the site as a read-only extranet landing site (you can grant Visitors access to "domaindomain users" and "ext:All Users" and all domain users and external users will have read-only access to the site)  that is used as a directory or jumping off place to go to other extranet sites, but it would not contain any other content besides a home page.

 

If you will follow the instructions and guidance above, you can be assured of the security of your extranet AND allow your external users to handle their own problems when they forget their password.

 

©2019 PremierPoint Solutions. All Rights Reserved. 

Create your own Knowledge Base