Help & Documentation

Comprehensive guide to configuring and using the Self-Service Password Reset system

Installation Guides

Step-by-step guides to help you install AdminGloves SSPR on your platform.

Windows

Windows Installation

Complete guide for installing AdminGloves SSPR on any Windows Server or Windows 11

View Guide
Linux

Linux Installation

Complete guide for installing AdminGloves SSPR on Linux (Ubuntu, RHEL, etc.).

View Guide

Branding Configuration

Customize the appearance and branding of your self-service password reset portal to match your organization's identity.

Logo Upload

Upload your company logo to display on the login page and throughout the user interface.

  • Supported formats: PNG, JPG, GIF
  • Recommended size: 200x50 pixels for optimal display
  • File size: Keep under 500KB for fast loading
  • The logo appears in the header of the login page and email templates

Company Name

Enter your organization's name. This will be displayed:

  • On the login page header
  • In email notifications sent to users
  • Throughout the user interface
Tip: Use a clear, recognizable name that users will associate with your organization. Examples: "Acme Corporation" or "Tech Solutions Inc."

Footer Text

Custom text displayed in the footer of the login page and user portal. You can use this for:

  • Copyright information
  • Contact details
  • Legal notices
  • Support information

You can use HTML formatting for links and styling. Leave blank to use the default footer text.

Country Code

This will display the default country code to users when sending SMS OTP messages.

  • Include the plus sign (+) prefix
  • Common examples: +1 (USA/Canada), +91 (India), +60 (Malaysia), +44 (UK)

Password Expiry Notifications - Microsoft Graph Email

Configure automated password expiry notification emails using Microsoft Graph API (Microsoft 365 / Azure AD).

Azure AD App Registration Setup

Before configuring Microsoft Graph Email, you need to register an application in Azure AD and grant it the necessary permissions.

Step 1: Create App Registration

1

Log in to the Azure Portal with an account that has permissions to create app registrations.

2

Navigate to Azure Active DirectoryApp registrationsNew registration

3

Enter a name for your application (e.g., "SSPR Password Expiry Notifications")

4

Select Accounts in this organizational directory only (single tenant)

5

Click Register

Step 2: Get Tenant ID

1

In Azure Portal, go to Azure Active DirectoryProperties

2

Copy the Tenant ID (also called Directory ID)

It's a GUID format: 12345678-1234-1234-1234-123456789abc

Step 3: Get Client ID

1

Go to your app registration: Azure ADApp registrationsYour app

2

On the Overview page, copy the Application (client) ID

It's also a GUID format

Step 4: Create Client Secret

1

In your app registration, go to Certificates & secrets

2

Click New client secret

3

Enter a description (e.g., "SSPR Expiry Notifications")

4

Select an expiration period (6, 12, or 24 months)

5

Click Add

Important: Copy the secret Value immediately! It's only shown once. If you lose it, you'll need to create a new secret.

Step 5: Configure API Permissions

1

In your app registration, go to API permissions

2

Click Add a permissionMicrosoft GraphApplication permissions

3

Add the following permissions:

  • Mail.Send - To send emails
  • User.Read.All - To read user information
  • GroupMember.Read.All - To read group memberships (if using Entra groups)
4

Click Add permissions

5

Click Grant admin consent for your organization

Note: You must be a Global Administrator or have permission to grant admin consent.

Configuration Fields

Tenant ID

Your Microsoft Azure AD Tenant ID (Directory ID). This is a unique identifier for your Azure AD organization.

How to find: Azure Portal → Azure Active Directory → Properties → Tenant ID

Client ID

The Application (Client) ID from your Azure AD App Registration. This identifies your application to Azure AD.

How to find: Azure Portal → Azure AD → App registrations → Your app → Overview → Application (client) ID

Client Secret

A secret value used to authenticate your application with Azure AD.

How to create: Azure Portal → Azure AD → App registrations → Your app → Certificates & secrets → New client secret

Important: Client secrets expire after a set period (typically 6-24 months). You'll need to create a new one before expiration and update it in the configuration.

Email Sender ID

The email address or User Principal Name (UPN) of the Microsoft 365 mailbox that will send password expiry notification emails.

  • This must be a valid mailbox in your Azure AD tenant
  • The mailbox needs appropriate permissions to send emails via Microsoft Graph API
  • Typically, this is an admin account or a dedicated service account mailbox
  • Example: notifications@yourcompany.com or admin@yourcompany.onmicrosoft.com

Email Frequency

Specify on which days before password expiry users should receive notification emails.

  • Enter comma-separated numbers representing days remaining
  • Example: 30,14,7,1 means users will receive emails when their password has 30, 14, 7, and 1 day(s) remaining
  • This allows you to send multiple reminders at different intervals
  • The system automatically calculates these dates based on each user's password last set date

Schedule Time

The time of day when password expiry notification emails will be sent.

  • Select the time in 24-hour format (HH:MM)
  • The scheduled job runs daily at this time to check for users whose passwords are expiring
  • Choose a time when your email server has low traffic, typically during business hours
  • Example: 09:00 for 9:00 AM or 14:30 for 2:30 PM

Email Subject

The subject line for password expiry notification emails. Make it clear and actionable.

Examples: "Your Password Will Expire Soon" or "Action Required: Password Expiry Notice"

Email Link

The URL link that will be included in password expiry notification emails.

  • This should point to your self-service password reset portal
  • Users will click this link to reset their password before it expires
  • Example: https://portal.yourcompany.com/reset or https://sspr.yourcompany.com
  • Make sure this URL is accessible to all users
  • Include this in your email template using the $EMAIL_LINK placeholder

Password Expiry Days

The maximum number of days a password is valid before it expires.

  • This should match your Active Directory password policy maximum age setting
  • Common values: 30, 60, 90, or 180 days
  • The system calculates expiry dates based on each user's pwdLastSet attribute from Active Directory
  • Ensure this matches your organization's password policy

Email Group

Optionally restrict password expiry notifications to specific users.

You can enter:

  1. Active Directory Organizational Unit (OU) in DN format:
    OU=Users,DC=example,DC=com

    Sends notifications to all users in that OU. Multiple OUs can be separated by semicolons.

  2. Microsoft Entra (Azure AD) Group GUID:
    a1b2c3d4-e5f6-7890-abcd-ef1234567890

    Sends notifications to all members of that Entra group. To find a group GUID: Azure Portal → Azure AD → Groups → Your group → Properties → Object ID

  3. Leave blank to send notifications to ALL users in your directory

Password Expiry Notifications - SMTP Email

Configure automated password expiry notification emails using SMTP (Simple Mail Transfer Protocol).

SMTP Server Configuration

SMTP is a standard protocol for sending emails. You can use any SMTP server, including:

  • Microsoft 365 / Office 365 SMTP
  • Gmail SMTP
  • On-premises Exchange Server
  • Third-party SMTP services (SendGrid, Mailgun, etc.)

SMTP Server Address

The hostname or IP address of your SMTP email server.

Common examples:

  • smtp.office365.com (Microsoft 365)
  • smtp.gmail.com (Gmail)
  • mail.yourcompany.com (on-premises Exchange)
  • smtp.sendgrid.net (SendGrid)

Enter the fully qualified domain name (FQDN) or IP address. Do not include smtp:// or mailto: prefixes.

Port

The TCP port number for SMTP communication.

Common ports:

  • 587 - SMTP submission with STARTTLS (recommended)
  • 465 - SMTPS with SSL/TLS
  • 25 - Standard SMTP (often blocked by ISPs)

Port 587 is the most commonly used for authenticated SMTP and works well with TLS encryption. Check with your email provider or IT administrator for the correct port.

SMTP Sender

The email address that will appear as the "From" address in password expiry notification emails.

  • This should be a valid email address from your domain
  • Users will see this address when they receive expiry notifications
  • Example: noreply@yourcompany.com or it-support@yourcompany.com
  • This address should be configured on your SMTP server and may need to be authorized for sending

SMTP User

The username for authenticating to your SMTP server.

  • For Microsoft 365: Use the full email address
  • For Gmail: Use your Gmail address
  • For on-premises Exchange: Use the username format required by your server (may be domain\username or UPN format)
  • This account must have "Send As" or "Send on Behalf" permissions

Password

The password for the SMTP user account.

  • For Microsoft 365 with MFA enabled: You must use an App Password (not your regular password)
  • For Gmail: Use an App Password
  • For on-premises Exchange: Use the account password
  • App Passwords are generated from your account security settings
Note: The password is stored encrypted in the database. If you change the password, enter the new password here and save.

Email Frequency

Same as Microsoft Graph Email - specify comma-separated days before expiry (e.g., 30,14,7,1).

Schedule Time

Same as Microsoft Graph Email - the time of day when notifications will be sent (24-hour format).

Email Subject

The subject line for password expiry notification emails sent via SMTP.

Email Link

The URL link that will be included in password expiry notification emails (same as Microsoft Graph Email).

Password Expiry Days

The maximum number of days a password is valid before it expires (same as Microsoft Graph Email).

Email Group

Optionally restrict password expiry notifications to users in specific Active Directory Organizational Units (OUs).

  • Enter the OU in Distinguished Name (DN) format: OU=Users,DC=example,DC=com
  • Multiple OUs can be separated by semicolons
  • SMTP expiry notifications only support AD OUs (not Entra/Azure AD groups)
  • To find an OU: Use Active Directory Users and Computers, right-click the OU → Properties → Attribute Editor → distinguishedName
  • Leave blank to send notifications to ALL users in your directory

On-Demand Notifications

Configure email notifications that are sent immediately when specific events occur (password reset success, account unlock).

Microsoft Graph Email

Uses the same Azure AD app registration as expiry notifications. Configure Tenant ID, Client ID, Client Secret, and Sender Email.

When used: Sends immediate notifications when users successfully reset their password or when accounts are unlocked.

Global SMTP

Configure SMTP settings for on-demand notifications. Similar to SMTP expiry configuration but used for immediate notifications.

Configuration fields: SMTP Host, Port, Security (TLS/SSL), Username/Email, Password, Sender Display Name, Sender Email

When used: Sends immediate notifications via SMTP when Graph Email is not configured or when SMTP is preferred.

Email Templates

Customize the email body templates for password reset, account unlock, and password expiry notifications.

Available Placeholders

  • $USERNAME or {{USERNAME}} - User's display name or username
  • $RemainingDays or $daysLeft - Days until password expiry
  • $expiryDate - Password expiry date (SMTP only)
  • $EMAIL_LINK - Password reset link URL
  • $($UserDetails.DisplayName) - MS Graph format for user details

Template Types

  • Password Reset Success Email Body - Sent when users successfully reset their password
  • Account Unlock Success Email Body - Sent when accounts are successfully unlocked
  • Password Expiry Notification Email Body - Sent for scheduled password expiry notifications
Tip: You can use HTML formatting for styling. Use the "Reset to Default" button to restore original templates.

Mobile Provider (SMS OTP)

Configure SMS provider for sending One-Time Password (OTP) codes to users' mobile phones.

Twilio Setup

Getting Credentials

  1. Sign up for a Twilio account
  2. Log in to Twilio Console
  3. Go to Dashboard → Account Info
  4. Copy your Account SID (starts with "AC")
  5. Click "View" to reveal your Auth Token
  6. Go to Phone Numbers → Buy a number (or use existing)
  7. Copy the phone number in E.164 format (e.g., +14155551234)

Configuration Fields

  • ACCOUNT SID - Your Twilio Account SID from the console
  • AUTH TOKEN - Your Twilio Auth Token (keep secret)
  • PROVIDER NUMBER / ID - Your Twilio phone number in E.164 format

MSG91 Setup

Getting Credentials

  1. Sign up for a MSG91 account
  2. Log in to MSG91 Dashboard
  3. Go to API → Your API Key (AuthKey)
  4. Copy your API Key
  5. Go to Sender ID → Add Sender ID (must be approved, 6 characters)
  6. Register your Sender ID (complies with DLT regulations in India)

Configuration Fields

  • API Key (AuthKey) - Your MSG91 API Key
  • Sender ID - Your registered 6-character Sender ID
  • Route - Optional: "4" for transactional (recommended for OTP)
  • Template ID - Optional: DLT-registered template ID (India)
  • Default Country Code - Optional: Default country code (e.g., "91" for India)
  • OTP Message Template - SMS template with {OTP} placeholder

Daily OTP Limit

The maximum number of OTP codes a single user can request per day.

  • Security measure to prevent abuse and brute-force attacks
  • Recommended values: 5-10 OTPs per day
  • Resets daily at midnight
  • Admins or Helpdesk can also reset the limit from Admin Console

Group Access

Control which users can access the self-service password reset system based on Active Directory group membership.

Allow All Groups

When enabled, all users in your Active Directory can use the system, regardless of group membership.

When disabled, only users who are members of the groups in the "Selected" list can use the system.

Adding Groups

  1. Type at least 2 characters of the group name in the "Add group" field
  2. Click "Search" or press Enter
  3. Select a group from the results
  4. The group will be added to the "Selected" list
Tip: Use group restrictions to limit access to specific departments or user groups. This helps with phased rollouts and security.

Service Account

Configure the Active Directory service account used for LDAP operations.

LDAP Address

The LDAP server address for connecting to your Active Directory.

  • Use ldaps:// (LDAP over SSL) for secure connections (recommended)
  • Use ldap:// for unencrypted connections
  • Include port: 636 for LDAPS, 389 for LDAP
  • Example: ldaps://ad.yourcompany.com:636

Base DN

The Base Distinguished Name (DN) is the root of your Active Directory domain.

  • Format: DC=domain,DC=com or DC=company,DC=local
  • Example: DC=admingloves,DC=net
  • Optional: If left blank, the system will auto-discover it from your domain controller's rootDSE
  • To find manually: Active Directory Users and Computers → Right-click domain → Properties → Attribute Editor → distinguishedName

Service Account Username

The username of the Active Directory service account.

Formats:

  • domain\username (domain backslash format)
  • username@domain.com (UPN format)
  • CN=ServiceAccount,OU=ServiceAccounts,DC=domain,DC=com (DN format)

Service Account Password

The password for the service account. Stored encrypted in the database.

Required permissions:

  • Read user attributes
  • Search directory
  • Reset user passwords (if password reset is enabled)
  • Unlock user accounts (if account unlock is enabled)
Security Best Practice: Use a dedicated service account (not a regular user account) with minimal required permissions. Consider using a managed service account (MSA) or group managed service account (gMSA).

Security Questions

Configure security questions that users can answer during enrollment and use for password reset verification.

Questions List

Define the list of security questions users can choose from during enrollment.

Good security questions are:

  • Personal but not easily guessable
  • Have answers that don't change over time
  • Not easily found on social media

Examples:

  • "What was the name of your first pet?"
  • "In what city were you born?"
  • "What was your mother's maiden name?"

Questions to Enroll

The number of security questions each user must answer and save during their initial enrollment.

  • Recommended: 3-5 questions
  • More questions provide better security but may be inconvenient
  • Answers are stored encrypted in the database

Questions to Answer

The number of security questions users must answer correctly during password reset to verify their identity.

  • Should be less than or equal to "Questions to Enroll"
  • Recommended: 2-3 questions
  • Provides a balance between security and user convenience

Password Requirements

Define informational password requirements that will be displayed to users when they create or reset their password.

These are informational messages shown to guide users on password creation rules. They complement the technical password policy enforcement.

Examples:

  • "Password must be at least 8 characters long"
  • "Password must contain at least one uppercase letter"
  • "Password must contain at least one number"
  • "Password cannot contain your username"

Password Policy

Configure technical password policy settings that are enforced when users create or reset passwords.

General Settings

  • Minimum Password Length - Minimum number of characters (common: 8, 10, 12)
  • Maximum Password Length - Maximum number of characters (common: 128 or 256)
  • Maximum Password Age (days) - Days before password expires (common: 30, 60, 90, 180)
  • Minimum Password Age (days) - Days before password can be changed again (common: 1-7)

Complexity Requirements

  • Password must meet complexity requirements - Enables Windows-style complexity (cannot contain username, must contain characters from at least 3 of: uppercase, lowercase, numbers, special characters)
  • Require Uppercase Letters - At least one A-Z
  • Require Lowercase Letters - At least one a-z
  • Require Numbers - At least one 0-9
  • Require Special Characters - At least one !@#$%^&*()_+-=[]{}|;:,.<>?
Note: These settings should match your Active Directory password policy for consistency.

Account Policy

Configure account lockout behavior and authentication attempt limits.

Security Settings

  • Max Failed Login Attempts - Maximum consecutive failed login attempts before lockout (common: 3-5)
  • Lock Duration (minutes) - Minutes account remains locked (common: 15-60)
  • Failed Window (minutes) - Time window for counting failed attempts (common: 15-60)
  • Max Security Q Attempts - Maximum incorrect security question answers (common: 3-5)
  • Security Q Lock (minutes) - Minutes locked from security questions after max attempts (common: 15-60)

OTP Settings

  • Max OTP Attempts - Maximum incorrect OTP code attempts (common: 3-5)
  • OTP Lock (minutes) - Minutes locked from entering OTP codes (common: 5-15)
  • OTP Window (minutes) - Time window for counting OTP attempts, also OTP validity period (common: 5-10)

Authentication Methods

Enable which authentication methods users can use for password reset and account unlock.

Mobile OTP

Users receive OTP codes via SMS to their registered mobile phone number.

  • Requires mobile SMS provider (Twilio or MSG91) to be configured
  • Users must enroll their mobile number first
  • Convenient and widely-used method

Authenticator App

Users use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) to generate OTP codes.

  • Users scan a QR code during enrollment
  • Provides strong security without requiring SMS or email
  • Works offline once enrolled

Security Questions

Users answer security questions they enrolled during initial setup.

  • Doesn't require phone or email
  • Less secure than OTP methods
  • Good for backup authentication

Email OTP

Users receive OTP codes via email to their registered email address.

  • Requires email configuration (Microsoft Graph or SMTP)
  • Users must have a valid email address in Active Directory
  • Convenient for users who prefer email over SMS

Alerts

Configure automated alerts and compliance reports sent via email.

Email Lists

Create email lists that will receive alert notifications. Enter comma-separated email addresses.

Alert Configuration

  • Alert Name - Descriptive name for the alert
  • Alert Type - Critical Events, Failed Logins, Account Lockouts, High Priority Events, Agent Added, Digest Report, Custom
  • Report Type - Optional: SOX, GDPR, HIPAA, SECURITY, All Reports, or None
  • Severity Level - Info, Warning, or Critical
  • Format - Event Only, PDF, CSV, or Excel
  • Email List - Select the email list that will receive alerts

Schedule Types

  • Real-time - Sent immediately when events occur
  • Daily - Sent once per day at specified time
  • Weekly - Sent once per week on specified day and time
  • Monthly - Sent once per month on specified day and time

Filters

Optional filters to focus alerts on specific activities, accounts, or priority levels.

API & Webhooks

Configure API keys and webhooks for integrating with external systems.

API Keys

Generate API keys for programmatic access to the system.

  • API Key Name - Descriptive name for identification
  • Rate Limit - Maximum requests per minute (common: 60-1000)
  • Copy the API key immediately after creation - it's only shown once
  • Use the API key in the Authorization header: Bearer YOUR_API_KEY

Webhooks

Configure webhooks to receive real-time event notifications.

  • Webhook Name - Descriptive name for identification
  • Webhook URL - HTTPS endpoint that will receive POST requests with JSON payloads
  • Events - Select events: Password Reset, Account Unlock, Critical Audit Events, MFA Enrollment
  • Timeout - Request timeout in seconds (default: 30)
  • Retry Attempts - Number of retries for failed deliveries (default: 3)
Security: Use the webhook secret (shown after creation) to verify the authenticity of incoming webhooks. Always use HTTPS for webhook URLs.

Admin Dashboard

The admin dashboard provides an overview of system status and allows you to manage users, computers, and groups.

Dashboard Tiles

  • Total Enrolled - Number of users who have completed enrollment
  • Security QnA - Users enrolled in Security Questions
  • Mobile OTP - Users enrolled in Mobile OTP
  • Authenticator App - Users enrolled in Authenticator App
  • Email OTP - Users enrolled in Email OTP
  • Security Posture Score - Overall security score (0-100)
  • Compliance Status - Compliance status based on configured requirements
  • Failed Auths (24h) - Failed authentication attempts in last 24 hours
  • High Risk Events (7d) - High-risk security events in last 7 days
  • Active Violations - Active security policy violations

User Search

Search for users in Active Directory by username, UPN, email, or display name.

  • Search is case-insensitive and supports partial matches
  • After searching, you can view user details, unlock accounts, or reset passwords

Status Indicators

  • Account Lock - Indicates if the user's account is currently locked
  • MFA Block - Indicates if multi-factor authentication is blocked for the user
  • Enrollment Status - Shows which authentication methods the user has enrolled

Actions

  • Unlock Account - Unlocks a locked user account
  • Reset Password - Resets a user's password (user will be required to change it on next login)

Computer Search

Search for computers in Active Directory by computer name or NetBIOS name.

Group Management

Add users to groups or remove users from groups in Active Directory.

Frequently Asked Questions (FAQ)

What is the SSPR product and what features does it offer?

SSPR (Self-Service Password Reset) allows users to securely reset their AD passwords without contacting the IT team. It supports identity verification, OTP, security checks, password expiration handling, lock-screen integration, and a simple management console.

Where can I deploy the SSPR product (supported operating systems)?

SSPR can be deployed on modern Windows Server and Linux environments. The installer supports both platforms through simple guided setup scripts.

What are the system requirements for running SSPR?

Minimum recommended: 4 GB RAM, dual-core CPU, Java 21 or later, and MySQL/MariaDB. Actual requirements depend on the user volume and environment size.

Which Java versions are supported?

SSPR supports Java 21 or higher. Both OpenJDK and Oracle JDK are compatible.

Which databases are supported?

SSPR supports both MySQL and MariaDB. You may choose either during installation.

How can I switch between MySQL and MariaDB after installation?

You can re-run the configuration section of the installer and update the database connection settings. The schema format is compatible with both engines.

What ports need to be open for SSPR?

SSPR typically requires port 8080 or HTTPS 443 for web access, plus standard LDAP/LDAPS ports depending on your directory configuration.

How do I deploy SSPR on WildFly?

The installer automatically handles deployment into WildFly using the provided scripts. No manual steps are required except verifying the application path.

How do I configure LDAP connection settings in SSPR?

LDAP settings can be configured during installation or updated later from the configuration section. Simply enter your domain controller address, base DN, and service account details.

How do I enable LDAPS (secure LDAP over TLS)?

LDAPS can be enabled by pointing SSPR to your LDAPS server (port 636) and trusting the certificate in the server's JVM. Once the certificate is trusted, SSPR will automatically use TLS-secured communication.

How do I import an LDAPS certificate into the Java keystore?

Export the LDAPS certificate and run:

keytool -import -alias ldaps -keystore "%JAVA_HOME%/lib/security/cacerts" -file cert.cer

After importing, restart the SSPR service.

What is the correct keytool command to trust the LDAPS certificate?

keytool -importcert -trustcacerts -alias ldaps-cert -file yourcert.cer -keystore cacerts
You will be prompted for the keystore password (default: changeit).

How do I verify if LDAPS is working?

You can test LDAPS connectivity with PowerShell, OpenSSL, or ldapsearch. If the certificate is trusted and the domain controller is reachable, SSPR will connect securely.

Does SSPR support multiple domain controllers?

Yes. You may point SSPR to multiple DCs for redundancy and high availability.

How do I configure HTTPS/SSL for the SSPR web portal?

You can generate or upload an SSL certificate for WildFly. Once HTTPS is enabled, all SSPR traffic will be served securely.

How do I install an SSL certificate for WildFly?

Create or import a keystore file, then update the WildFly HTTPS listener to use your certificate. The installation guide includes the required commands.

Can I use Let's Encrypt certificates with SSPR?

Yes. You can generate a Let's Encrypt cert externally and import it into WildFly's keystore.

How do I update or renew my SSL certificate?

Replace the certificate files in the WildFly keystore and restart the service. The existing configuration will continue to work.

How do users perform self-service password reset?

Users can use web/Android app/iOS app/Windows Lock screen, verify their identity using configured methods (e.g., OTP), and securely reset their password without IT involvement.

Does SSPR support Windows lock-screen password reset?

Yes. The Windows lock-screen extension allows users to reset their password directly from the login screen without signing in.

Can SSPR send notifications for password reset attempts?

Yes. SSPR supports notifications for verification codes and password reset confirmations via email or SMS depending on your configuration.