Verify that the separate maximum attempt failure threshold that you have defined for a realm that is configured with OTP authentication is correctly configured.
The following procedure assumes the following conditions:
Follow these steps:
The account should not be locked.
The account should not be locked.
The account should be locked.
You have successfully configured a separate maximum attempt threshold for one-time password authentication.
Range: 0 or 30-180 days
Default: 0
Recommended: 90
Complexity Level: Basic
If a security breach does occur because a password becomes known, the breach is immediately closed when the password changes. By requiring your users to periodically change their passwords, you can close any breaches that you don't even know about.
This setting controls how often users must change their passwords.
When a password fully expires, the user is disabled and the configured action taken (email, redirection).
This setting controls the amount of time that can pass between when the user last changed his password (or was created) and when the password must be changed. Related settings, described below, control warnings and grace periods.
For users stored in a Windows NT Directory, Expiration Delay is not honored. APS honors the password expiration date set in the NT User record. Expiration Warning is honored as described below, though it is relative to the expiration date set in the NT user record. Expiration Grace and Grace Logins are not honored for NT users, thus, when an NT user's password expires, that user is immediately disabled.
Password Expiration=90
Password Expiration={@Employees} 60
Note: For users stored in LDAP or ODBC directories, the administrator can modify some of the behavior of APS when doing a password expiration check. Before using this setting, APS will check the user's record for a value for the attribute smapsExpirePasswordDays. If set, APS will use the number of days so specified. This feature should be rarely, if ever, used, since it causes a performance hit and creates maintenance problems. It is intended to override specific users, such as administrators, whose password should never expire.
Range: 0-99 days
Default: 0
Recommended: 7
Complexity Level: Basic
When a password expires, the user's access to the system is revoked. It is far user-friendlier to warn the user that their password will expire shortly. This setting determines how long before a password expires should the user be warned.
The warning takes the form of email and/or redirection (which must be configured for this setting to work) occurring each time that the user logs in during this period.
Expiration Warning=7
Expiration Warning={@Customers} 10
Range: 0-99 days
Default: 0
Recommended: 7
Complexity Level: Basic
If a user logs in during the Expiration Warning period, defined as the Password Expiration Date less the number of days specified by the Expiration Warning setting above, an event fires and the system takes immediate action (redirection and/or mail sent). However, this process is triggered by an actual authentication attempt.
This setting allows a site to send email warning users of password expiration even if the user does not authenticate. The APSExpire utility will send email to users before their password expires using this setting.
Note that this setting may appear more than once. If so, APSExpire will send the email each time within the period that it is run. Thus, a site can send email 15, 10 and 5 days before the password actually expires.
Offline Expiration Warning=15 Offline Expiration Warning=10 Offline Expiration Warning=5
Range: 0-99 days
Default: 0
Recommended: 7-14 days
Complexity Level: Intermediate
Once password expiration is reached, APS no longer treats password changes as optional (it becomes required). How many days after the password expires should APS actually disable the user?
This setting is not honored for users in a Windows NT Domain Directory.
Expiration Grace=30
Expiration Grace={@Employees} 7
Range: 0-5
Default: 0
Recommended: no
Complexity Level: Advanced
Once password expiration is reached, APS no longer treats password changes as optional (it becomes required). This setting indicates how many times the user will be allowed to login after the password expires and before the user is disabled.
All but the last grace login are optional. The last grace login will not be optional (using the default form and AZRedirect).
If both Grace Logins and Expiration Grace settings are used, the first value to be used up will cause the user to be disabled. In other words, if the Expiration Grace period expires before the user has consumed all of the available Grace Logins, the user is disabled. If all Grace Logins are consumed, the user is disabled, even if the Expiration Grace period has not expired.
Note that the user will be allowed to login when this value is reached. However, if the password is not changed, the next login attempt will cause the user to be disabled.
This setting is not honored for users in a Windows NT Domain Directory.
Grace Logins=3
Grace Logins={@Employees} 2
Range: 0-365 days
Default: 0
Recommended: 90 days
Complexity Level: Basic
This setting controls the maximum amount of time that can occur between user logins. A user attempting to log into an account that has remained dormant for more than this amount of time will cause the account to become disabled. Thus, an old, dormant account that may have been overlooked will be less of a security threat.
For example, one of your employees leaves the company to join one of your competitors. Your Human Resources department does not notify you of the separation. Since the account remains unused for 30 days (before the employee attempts to reconnect), when the attempt is made, the account is disabled (and, optionally, mail can be sent to the administrator).
By default, this setting is reactive, meaning that the account is not actually disabled until it is used, not when the time limit expires. To be proactive, that is, to have APS disable users (LDAP and ODBC users only) when the account actually expires, use the APSExpire utility.
When APSExpire is used, if the user eventually logs in (after being disabled), APS cannot do special redirection to notify the user that he has been disabled due to inactivity, only that the user is disabled.
If APSExpire is used, then you can send warning mail to expiring users several days before the account actually expires. This functionality is controlled by the Inactivity Warning setting below.
For Windows NT Directories, APS honors the Account Expiration date set in the NT User record rather than this setting.
Max Inactivity=90
Max Inactivity={@Admins} 180
Note: For users stored in LDAP and ODBC directories, the administrator can modify some of the behavior of APS when doing this check. Before using this setting, APS will check the user's record for a value for the attribute smapsAccountInactivityDays. If set, APS will use the number of days so specified. This feature should be rarely, if ever, used, since it causes a performance hit and creates maintenance problems. It is intended to override specific users, such as administrators, that are accessed rarely and should never be disabled due to inactivity.
Range: 0-99 days
Default: 0
Recommended: 7-10 days
Complexity Level: Intermediate
If the APSExpire utility is used, then you can send warning mail to expiring users several days before the account actually expires. This setting controls how long before the user record expires such mail is sent.
The mail may not actually be sent this number of days before expiration, since the APSExpire utility may not run. The utility will generate mail when a user's record will expire within this number of days and such mail has not already been sent.
Since APSExpire can only be used for LDAP or ODBC users, this setting does not apply to users in a Windows NT directory.
Inactivity Warning=5
Inactivity Warning={@Customers} 10
Range: 0-730 days
Default: 0
Recommended: 30 days
Complexity Level: Advanced
An account disabled due to inactivity will remain in the User Directory, theoretically forever. The APSAdmin utility will report all users that have been disabled (due to Account Inactivity) for this many days as "eligible for purge". Note that APS will never actually delete a user.
Since APSExpire can only be used for LDAP or ODBC users, this setting does not apply to users in a Windows NT directory.
Purge After=30
Purge After={@Customers} 365
|
Copyright © 2014 CA.
All rights reserved.
|
|