|
|
|
Incorrect Password Group Box
The Incorrect Password group box is where you can specify how many failed logins are allowed before a user account is disabled. Additionally, you can specify how long the account is disabled before a user can attempt to log in again.
Note: This group box is only available if the Track login details check box is enabled.
Specifies the number of consecutive failed log in attempts a user can make before the user account is disabled. Limiting the number of unsuccessful attempts protects against programs designed to access a resource by repeatedly trying passwords until the correct one is found. If a user fails to login correctly after the specified number of attempts, the Policy Server disables the user’s account. The account must be re-enabled by an administrator.
If you use an HTML forms authentication scheme with the default login.fcc template that ships with the SiteMinder Agent, you should set the smretries parameter in the login.fcc file to 0, so that the password policy determines the number of retries allowed based on the value you enter in this field.
Note: The SMTRYNO cookie may be used during authentication. For example, it can be used to track and display a message that indicates the current number of failed login attempts. If you need the SMTRYNO cookie to be set, then smretries may be set to a value higher than the number of tries allowed before Password Services disablement (for example, @smretries=6 if the number of tries allowed in the Password Policy is 3). This will make sure that a user is disabled instead of redirected to the .unauth page, but it will still allow the SMTRYNO counter to be set.
Important! This value should be set carefully. The Policy Server searches for users by checking all of the user directories bound to a policy. If three users with the same user name exist in separate directories, the Policy Server checks the password against each user name until it finds a match. For each user name the password does not match, the Policy Server records a failed attempt. If the number of failures is set too low, the Policy Server may incorrectly disable an account.
Specifies the length of time (in minutes) that a user must wait before he or she is allowed another login attempt or their account is re-enabled (see below). If the user enters another incorrect password, the Policy Server disables the account again. The user must wait the specified amount of time before trying again.
If selected, specifies that when a user enters an incorrect password, they are allowed another login attempt after the specified number of minutes.
If selected, specifies that when a user enters an incorrect password, their account is re-enabled after the specified number of minutes.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |