Articles in this section

See more
Print

Сonfiguration of Self-Service password & profile management

  • Updated
Follow

Contents:

 

Steps for configuring Password & Profile management

Users can be delegated access to change existing passwords or update their account profiles immediately. However, before a user can use self-service to reset a forgotten password and unlock an account, the user must enroll by answering a series of questions. Later, when the user forgets a password, these answers are used in place of the forgotten password to authenticate the identity of the user and allow them to create a new password.

The general steps for configuring Password & Profile Management are as follows:

  1. Configure the Password Self-Service Enrollment Details Web Action

    1. Set data encryption password

    2. Set answer length and quantity requirements

    3. Define end-user questions

  2. Delegate Self-Service Password & Profile Management

  3. Configure User Notifications

 

Active Directory Account Name History attribute

The enrollment details for each Active Directory user is stored on the user’s object in Active Directory in the AccountNameHistory attribute. An example of the data stored in the AccountNameHistory attribute is Encrypted Questions and Answers and the date and time of both Welcome and Reminder Notifications.

 

Configure the Password Self-Service Enrollment Details web action

The process that allows a user to both enroll and later use the forgotten password reset features is controlled by the Self-Service Password Self-Service Enrollment Details web action. This action can only be configured by a Cayosoft Administrator Global Administrators Role trustee.

 

Setting the data encryption password

  1. Open the Cayosoft Configuration Console

  2. Navigate to  Self-Service - Password Self-Service Enrollment Details

  3. Locate the Password to encrypt data in the AD setting in the action section of the rule

  4. Click the selector button to the right side of the field

    (The selector is a small square button to the right of the field […])

  5. Enter a password that will be used to encrypt user answers

    SS_PwdWebAction.png

  6. Click OK

  7. Click Save Changes

 

Setting Question & Answer details

Minimum answer length (Characters) – this setting enforces the minimum length of answers provided by the end-user during enrollment. By setting a higher number for answer length, the complexity of the answers will be increased.

Minimum number of questions per user – this setting selects the number of questions that a user must answer during both enrollment and later when using the forgotten password service

Questions 1 through 5 – each question field is presented to the user during enrollment as a drop-down list of questions from which they may choose.

Enable question shared with Help Desk – this option adds a question that must be answered by the user during enrollment. This question and the answer provided by the user are made available to anyone that is delegated the permissions to use the Validate User Identity option in the Cayosoft Web Portal.

Tip: To change the default questions, simply change an existing question or add additional questions separated by a | symbol. Each question should elicit an answer that is not easily guessed, or that may be easily found on the Internet or from other public sources.

Example:
What is your favorite movie? |
What was the make of your first car?

 

More Options

Password complexity description – use this setting to enter the password complexity requirements the user must follow when creating a password. 

Enforce domain password policies – this setting allows you to specify whether to enforce the domain password policies like password history, password age, length, and domain complexity requirements for the Change my password action in Self Service and for I forgot my password link on the login page.

Note: Password age determines the period of time (in days) that a password must be used before the user can change it. By default in the domain password policy the Password Age is set to one day. It means that a user can reset his password only a day after the password was set. If a user tries to reset it earlier he will get the general error: The password does not meet the length, complexity, or history requirement of the domain.

 

Brute force protection with account lockout

A brute force login attack is one of the most common attacks conducted against Web applications. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. 

The best way to prevent brute-force attacks is to limit invalid login attempts and lock out the user account for a period of time. This prevents automated tools from performing a brute force attack and effectively makes it impractical to perform such an attack.

Cayosoft Web Administrator has brute force attack protection. By default, after 5 unsuccessful attempts to reset the password or unlock the account using SelfService, a user gets the message: "You have made too many attempts. Please wait and try again later". After that, a user should wait for 10 minutes before trying to perform these operations again. Starting from the 8.3.1 version, a ccount lockout invalid attempts and account lockout period can be specified in Self-Service - Password Self-Service Enrollment Details web action – Cayosoft Help Center.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.