Configuring the Local Reset Extension

The Bravura Pass Local Reset Extension can be used with the following browsers:

Edge Chromium
Google Chrome
Firefox
The Local Reset Extension only works on Windows. Mac OS X and other operating systems are not supported.

The Local Reset Extension comprises of the Bravura Security browser extension and a native extension. When the user's password is reset from Bravura Pass , it will do two things together:

Reset the password from target system configured to work with the extension.
Reset the cached credentials for the user on the workstation so that they could log in with the new password when not connected to the network.

Until both extensions are installed, the first point for the user's password on target system itself could always succeed, but the second point for the cached credentials will not.

In order to configure the Local Reset Extension:

Configure Bravura Pass to use the Local Reset Extension plugin .
Install the browser and native extensions on each user's Windows client workstation.
The end user manually installs the Bravura Security browser extension for Google Chrome, Edge Chromium, or Firefox from the Chrome or Firefox web stores while reseting their password using Bravura Pass .
The native extension can be installed by an administrator or end user with the following methods:
- An administrator manually installs the appropriate native extension on each user's workstation.
- An administrator automatically installs the native extension on users' workstations using group policy.
- The end user manually downloads and installs the native extension on their own Windows workstation while reseting their password using Bravura Pass .
See here for installation details:
- Install Local Reset Browser Extension on Chrome or Edge Chromium
- Install Local Reset Browser Extension on Firefox

Click below to view a demonstration:

Configure the Local Reset Extension plugin

The cgilocalr plugin updates local resources and runs commands after a web-based password change via Bravura Pass .

The generic control for pslocalr silently updates the user’s Windows password cache. With this plugin the user may continue using domain resources without logging out and back into their workstation after a password change.
The generic control for pgpfde is designed to update locally protected resources. It can be used to clear PGP WDE cache passwords so that the new password can be used on the next start-up of the PGP client.
See Hard Drive Encryption Systems in the Connector Pack documentation for information about integrating with PGP WDE encryption clients.

Usage

The cgilocalr plugin triggers local resource updates when a self-service password reset succeeds on a target system, as specified in cgilocalr.cfg.

To enable cgilocalr :

Click Manage the system > Modules > Change passwords (PSS).
Add cgilocalr.exe in the S STATUS EXT field.
The field accepts a comma-delimited list for multiple plugins.
Click Update.

Requirements

The cgilocalr plugin requires a configuration file. The cgilocalr.cfg file in the samples\ directory includes example configurations for pslocalr and pgpfde. Copy the file to the \<instance>\script\ directory, then edit the configuration.

The generic control requires the following parameters for running arbitrary commands:

id Used to identify the generic control
files Download from Bravura Pass instance server’s directory wwwdocs/x86 or wwwdocs/x64 depending on the client workstation operating system’s bitness.
program (optional) The program to run in the cgilocalr plugin.If left blank, rundll32.exe will be used.
arguments Arguments or parameters to pass to the program or rundll32.exe.

Customization

You can customize the user interface text in the plugin-pslocalr.m4 file. The plugin’s result messages can also be modified in this M4 file. See CUSTOMIZATION for more information.

Example

The cgilocalr plugin uses the configuration file to specify the target system and AD domain for which passwords should be changed locally, where:

Each target system on which you want to enable the Local Reset must have an entry containing the target system ID.
targetid, control and logonDomain are case insensitive.
For Active Directory DN targets, the domain information is taken implicitly from the longid, and does not need to be explicitly specified by logonDomain, which is only used for legacy Active Directory target systems.

For example, a company has an Active Directory Domain Controller managing the domain OFFICE. A target system for this domain controller has already been added with a target system ID of INTERNAL-AD. The following script configures the Local Reset Extension for passwords changed using the web-based interface. The user must be logged onto a workstation that is a member of the domain OFFICE. When the user changes his password on INTERNAL-AD the plugin will immediately update the user’s local Windows password cache.

# NOTE: This example is for backwards compatibility only, use of the
# pslocalr control directly should be changed to use the generic
# control as described in Generic Control example below.
#
# cgilocalr plugin config file to use pslocalr
 # KVGROUP-V2.0
 "" "" = {
   "targetid" "INTERNAL-AD" = {
     "control" "pslocalr" = {
       "protocol" = "2";
       "attributes" "" = {
         "logonDomain" = "OFFICE";
       };
     };
   };
 };

#
 # cgilocalr plugin config file to use generic control
 # KVGROUP-V2.0
 "" "" = {
   "targetid" "INTERNAL-AD" = {
    "control" "generic" = {
       "id" = "pslocalr";
       "arguments" = "ResetCachedPassword2 %HID_ENCRYPTED_DATA%";
       "attributes" "" = {
         "logonDomain" = "OFFICE";
       };
     };
   };
 };

Furthermore, workstation lock down after successfully updating the user’s local Windows password cache also can be configured by adding "useLockWstn" = "true" to the config file using the generic control. For example:

"" "" = {
  "targetid" "INTERNAL-AD" = {
    "control" "generic" = {
      "id" = "pslocalr";
      "arguments" = "ResetCachedPassword2 %HID_ENCRYPTED_DATA%";
      "attributes" "" = {
        "logonDomain" = "OFFICE";
        "useLockWstn" = "true";
      };
    };
  };
};

Testing

To test the correctness of the configuration file, attempt a password reset for one of the users on that system. If the syntax of the configuration file is invalid, the end user will not see any errors, but the server will log details about the parse error encountered:

Failed to parse file [C:\<path-to-instance>\script\cgilocalr.cfg]:
[Line: 36, Pos: 14]: Parse error: expected '='"

See also

Configuration example: SSA Login Assistant with VPN includes an example that enables the Local Reset Extension to function using the Chrome web browser.

Install Local Reset Extension on Chrome or Edge Chromium

A Chrome Bravura Security browser extension as well as a native extension is required to reset a user’s password cache on a workstation when using either Chrome or Edge Chromium. A download link will be available to install the extensions if they have not been installed yet.

Installing using GPO

In cases where users are not able to install extensions on their web browsers, an organization's administrators would need to force-install the extension for their users.

Google has some documentation on how to do this for Chrome:

https://support.google.com/chrome/a/answer/6306504?hl=en#:~:text=You%20can%20automatically%20install%20(force,in%20the%20Chrome%20Web%20store

The same install, deployment and use can be done for Microsoft’s EdgeChromium and other Chromium-based browsers.

A GPO or some other software deployment tool would then be used to install the native .msi extension on the workstations. For an example msiexec command to use with automated deployment tools, see "Use a silent installer" in the Configure Login Assistant on local workstations example.

Installing as an end user

Manual install works only for normal user accounts which are allowed to download and install browser extensions. It will not work inside the Login Assistant’s Secure Kiosk Account (LA/SKA) which is triggered from the login screen’s Credential Provider.

To install the Bravura Security browser extension and native extension as an end user:

Reset a password using Bravura Pass in the Change passwords (PSS) module using Chrome or Edge Chromium.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install chrome extension .
At this stage the cached credential has not been updated.
Click Install chrome extension.
This opens a new browser tab to the Bravura Security Browser Extension in the Chrome web store.
Click Add to Chrome.
Click Add extension.
Click X to close the sync notification.
Close all Chrome or Edge Chromium browser windows.
Re-open the Chrome or Edge Chromium browser.
Reset a password using Bravura Pass in the Change passwords (PSS) module.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install native extension .
At this stage the cached credential has not been updated.
On the password reset result page, click on Install native extension .
Run the browser-extension-win-x86.msi file. Alternatively, download and save the file onto your workstation and run the file.
When running the installer on Windows as an administrator, you can choose to install the native extension for yourself or for all users on the workstation.
The next time you change domain passwords from the workstation with the local reset extension installed, the cached credential should also be updated.

Test the installation

Install Local Reset Extension on Firefox

A Bravura Security browser extension as well as a native extension is required to reset a user’s password cache on a workstation when using Firefox. A download link will be available to install the extensions if they have not been installed yet.