This tab will show the user settings for this policy.
This tab contains the following information:
| Fields | Contents |
|---|---|
| Dynamic User Registration |
Specifies whether the Dynamic User Registration (DUR) feature is enabled for the policy. If this feature is used, when the IDENTIKEY Authentication Server receives an authentication request for a User for the first time and back-end authentication is successful, it will create a DIGIPASS user account automatically. If DUR is used together with Auto-Assignment, a DIGIPASS will be assigned to the new user account immediately. This setting also determines whether the provisioning registration process is allowed to perform DUR or not. |
| User Info Synchronization | Specifies whether the DUR user information synchronization feature is enabled for the policy. If this feature is used, IDENTIKEY Authentication Server will retrieve user information from an LDAP back-end system when a user account is created using Dynamic User Registration. User information attributes that can be retrieved include the user display name and contact data (mobile and landline numbers, and e-mail address.) |
| Password Auto-learn |
Specifies whether the Password Autolearn feature is enabled for the policy. This feature enables IDENTIKEY Authentication Server to update the password stored in the DIGIPASS user account when back-end authentication is successful. This setting also determines whether the provisioning registration process will update the password after successful back-end authentication or not. |
| Stored Password Proxy |
Specifies whether the stored password proxy feature is enabled for the policy. This feature can be used together with the back-end authentication setting and the Password Autolearn feature. With this combination, even though a back-end authentication check is done during every logon, it is done using the password stored in the DIGIPASS user account. Therefore the user does not have to enter it during the logon, unless it has changed in the back-end system. This mode of operation is referred to as Password Replacement. To enforce static password verification during offline authentications via DIGIPASS Authentication for Windows Logon, you need to disable Stored Password Proxy and set Back-End Authentication to Always. |
| Account Lockout | |
| User Lock Threshold |
Specifies the number of invalid logon attempts that are allowed before a DIGIPASS user account is locked. For example, if User Lock Threshold is 3, the account will become locked on the third failed logon attempt. Unlocking the account requires administrator action or user auto-unlock enabled. Note that not all kinds of logon failure will result in locking. For example, if the user ID is incorrect or the account is disabled, the failure would not count for the lock threshold. Locking is used mainly for incorrect OTPs and static passwords. The locking mechanism is also used for provisioning and signature validation. |
| Minimum Lock Duration |
The time span a locked DIGIPASS user account remains locked before a user can try to authenticate again and unlock it using user auto-unlock. The value is given in minutes. Applies only if user auto-unlock is enabled, effectively by setting Maximum Unlock Tries. Possible values: 0–99999 |
| Lock Duration Multiplier |
The multiplier factor to increase the lock duration (initial value specified by Minimum Lock Duration) after each unsuccessful authentication. The value is given in percent. For example, a value of 200 effectively doubles the lock duration after each unsuccessful authentication. Applies only if user auto-unlock is enabled, effectively by setting Maximum Unlock Tries. Possible values: 100–500 |
| Maximum Unlock Tries |
The maximum number of attempts to unlock a locked DIGIPASS user account during authentication (user auto-unlock) before it is permanently locked. A locked DIGIPASS user account with no unlock attempts left, can only be unlocked manually by an administrator. Setting this value to 0 effectively disables user auto-unlock. Possible values: 0–999 |
| Max Days Between Authentications |
Specifies the number of days a DIGIPASS user account can remain inactive before it is suspended. If the account has been suspended the user will not be able to log on. The user will be notified during authentication that the DIGIPASS user account has been suspended. By default, an administrator account expires when no operations have been performed during the last 90 days. You can reactivate a suspended DIGIPASS user account with the Reset Last Authentication Time action in the User Account tab of the User Properties page. Setting this value to 0 effectively disables this feature. DIGIPASS user accounts that are suspended at the time the feature is being disabled will become active again with the next successful user authentication. |
| Account Constraints | |
| Default Domain | The default domain in which IDENTIKEY Authentication Server should look for and create a DIGIPASS user account, if a domain is not specified by the user credentials. |
| Accepted Domain | Only users from this domain will be accepted; all others will be refused. |
| Local Admin Users |
Indicate access allowed by the user to non-administrative tasks, if the user has administrative privileges. Possible values:
|
| Windows Group Check |
Specifies whether and how the Windows Group Check feature is to be used. This feature is typically used for a staged DIGIPASS deployment when the Auto-Assignment method is used. It can also be used when only some users are required to use a DIGIPASS authenticator or when only some users will be permitted access and they have to use a DIGIPASS authenticator. Possible values:
|
| Nested Groups |
Determines whether the Nested Groups feature is to be used for Windows Group Check during user authentication. Possible values:
This implementation changes the behavior of Windows back-end in regards to:
|
| Windows Group List |
The currently selected Windows groups to be checked according to the Windows Group Check are listed here. Expand the list to search and edit your selection. You can enter a filter value to find the relevant group, or scroll through the list. Edit the selection and add / remove groups by selecting the check boxes of the relevant group and move them to the corresponding list by clicking the double-arrow button. You can also select multiple groups. Note - For groups to appear for a Microsoft Active Directory back end, the Microsoft Active Directory back end must exist in IDENTIKEY Authentication Server. |
| RADIUS Attributes | |
| Reply RADIUS Attributes |
Specifies whether to return RADIUS attributes from a user account when it returns an Access-Accept. Possible values:
|
| RADIUS Attribute Group List | Comma-separated list of RADIUS attribute groups. Only attributes belonging to the listed groups will be returned via this policy. |
| Static Password | |
|
These options allow you to define password complexity rules for the static password of the associated user. Different password complexity rules can be applied for administrators and users. Administrators: IDENTIKEY Authentication Server supports password complexity rules through the server policy. There is a client component entry per server in the database, which has a policy assigned. The effective policy values for password complexity rules are applied for administrator users. Users: When applying password complexity rules to users (i.e. no administrative privileges assigned), only the values defined in the base policy of the server policy are applied, instead of the effective settings. By default, password complexity rules are only defined in the base policy, i.e. a default installation of IDENTIKEY Authentication Server will have to be adapted accordingly. |
|
| Minimum Password Length |
Specifies the minimum length required for the static password. Possible values: 0–9999 |
| Minimum # Lowercase Characters |
Specifies the minimum number of lowercase characters required in the password. Possible values: 0–9999 |
| Minimum # UPPERCASE Characters |
Specifies the minimum number of uppercase characters required in the password. Possible values: 0–9999 |
| Minimum # Numerical Digits |
Specifies the minimum number of numerical digits required in the password. Possible values: 0–9999 |
| Minimum # Special Characters |
Specifies the minimum number of special characters required in the password, in this context, these are non-alphanumeric characters on the keyboard (excluding numbers or letters of the alphabet). Possible values: 0–9999 |
| Different From Last # Passwords |
Specifies how many different passwords must be used before a previously used password can be used again. Possible values: 0–24 |
| Not Based on User ID |
Specifies whether the password is allowed to contain all or parts of the user ID. Possible values:
|
| Maximum Age in Days |
Specifies the maximum amount of time in days during which a local static password is valid. After this time, the password expires. Applies to the local authentication mode DIGIPASS or Password only. If set to 0, the local static password never expires. You should set this value to disable local static password expiration if you are using back-end authentication, and rather rely on the back-end system to enforce password expiration. Possible values: 0–9999 |
| Minimum Age in Days | Specifies the minimum amount of time in days a static password must be used before it can be changed. Applies to the local authentication mode DIGIPASS or Password only. |
| Days to Notify before Expiration |
The number of days before a static password expires and the end user must be notified to update the static password. Applies to the local authentication mode DIGIPASS or Password only. If applicable, a respective note is displayed on the Administration Web Interface home page. Additionally, if the respective user has the Set User Password privilege, a direct link to set a new password is displayed. If set to 0, users will never be notified. Possible values: 0–9999 |
The following actions are available: