Password complexity for Login Portal

You can configure your Active Directory (AD) to allow ETP to manage password complexity of the Login Portal. Every AD has a password complexity requirement. Your business may have other password reset requirements such as:
  • Users may be required to change their password in their first login.
  • Periodic password change, for example every 90 or 180 days, as per your business’ security policy. This can be set at the group or individual user level in the AD domain.
    • Change password when it is still valid.
    • Reset password after it has expired.
  • Proactive or at will password change.

    If your AD is using Windows 2008, 2012, or 2016, the Secure Lightweight Directory Access Protocol (LDAPS) is required for the directory host.

    If your AD is using Open LDAP, LDAP or LDAPS may be used for the directory host.

An administrator can define these password settings in AD, LDAP, and Activity Directory Lightweight Directory Services (AD LDS) directories.

Allow users to change password. Select this option to allow users to change their passwords in the Login Portal.
  • For the AD, enable this setting to allow users to change their passwords if their current password is valid and ETP does not require the user to reset the password on their next login.
  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset, provided the grace authentication limit with expired passwords or must-reset passwords has not been exceeded.

By default, this setting is disabled. If disabled, the user cannot change the password through the Login Portal and will need to do so through the native directory outside of ETP.

Allow users to reset password. Select this option to allow users to change their passwords in the Login Portal.
  • For the AD, enable this setting to allow users to change their passwords if the ETP administrator requires the user to reset the password on their next login.
  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset after the grace authentication limit with expired passwords or must-reset passwords has been exceeded.

To support this capability, ETP needs write privileges on the service account to modify another user’s password. This setting only controls whether ETP attempts to handle these use cases, the configuration needed for the service account must be configured on the AD or Open LDAP itself. Typically, accounts with administrator privileges also have the permissions to change another user’s password. Administrators may want to restrict this privilege for the service account using mechanisms supported by the directory.

By default, allowing users to reset their own password is disabled. If disabled, the user cannot change the password through the Login Portal and will need to do so through the native directory outside of ETP.

Default password policy. This is a required field. It is automatically completed by the Microsoft AD. If you are using Open LDAP as your directory host, enter the default password policy for the directory.

Password expiry warning threshold (in seconds). This setting allows ETP to provide a password change reminder message to users when they login to the Login Portal that encourages them to change their password before it expires. ETP can determine the age of the user’s current password during login and if it exceeds the configured warning threshold, the password change reminder displays.

To support password changes from the Login Portal, ETP needs write privileges on the service account to modify another user’s password. If write privileges are not granted to ETP, the warning message may help to reduce administrative support for expired user passwords. Enter the amount of time, in seconds, before the password expires to display the password change reminder message.

By default this threshold is set to zero (0). When set to zero (0), no warning messages display.

Password force change threshold (in seconds). This setting allows ETP to force a password change to users when they log in to the Login Portal before they can access a website. This threshold should be greater than the warning threshold and less than the maximum age of the password in the AD. Enter the amount of time, in seconds, before the password expires to force a password change from the Login Portal.

By default this threshold is set to zero (0). When set to zero (0), ETP will not attempt to force a change of current valid passwords.

Password complexity. To provide a message for users to read in the Login Portal, enter information about the password requirements in the Password complexity field.