Skip to main content

Managing Passwords

This section describes password management for internal authentication using AD LDS or ADAM. These password choices do not affect external authentication methods.

Letting Users Manage Their Passwords

This section describes how you can let users change their passwords or request new system-generated passwords.

How To

Allow Users to Change Their Own Passwords, or Prohibit It

JICS is set up so that internally authenticated users can change their own passwords. However, you can turn this functionality on and off.

When you set up the system to allow password changes, users can change their passwords by opening the My profile and settings feature and then displaying the Password tab. When you disallow password changes, the My profile and settings feature does not include a Password tab.

Note that if some of your users are externally authenticated, for these users the My profile and settings feature also will not include a Password tab, even if the feature is activated. This is true regardless of whether the users are externally authenticated through a SAML identity provider or an Other type external directory.

You manage this configuration by editing the internal authentication method on the Authentication settings screen. However, if you prefer, it is also possible for you to set this through a direct update to the FWK_ConfigSettings table in the main JICS database. The Key for this setting is AllowPasswordChanges.

To manage users’ ability to change their own passwords:

  1. Log in to the portal as a member of the Administrators role.

  2. Click the user icon and select Site Manager from the drop-down menu.

    The system displays the Site Manager screen, with the Site settings tab selected.

  3. Click the Authentication settings tab.

    The Authentication settings screen displays.

  4. In the list of authentication methods, click the Edit link next to the default internal authentication method.

    Manage Authentication Methods section showing Edit link.

    The Edit Internal Method screen displays.

  5. Do one of the following:

    • To allow users to change their own passwords, click the Allow password changes button to display On.

    • To prevent users from changing their own passwords, click the Allow password changes button to display Off.

    Edit Internal Method screen displays options.

  6. Click Save.

Activate the ‘I Forgot My Password’ Feature

If you are allowing users to change their own passwords, then you can activate the I forgot my password link on the login page. Users who use an internal authentication method can enter their user name and click this link to have the portal send them an email that allows them to reset their password.

Note

Note: The I forgot my password link will not display if you are not allowing users to change their own passwords. Additionally, the link will display for LDAP-authenticated users only if you have entered a password reset URL for LDAP servers. The link will never display for SAML-authenticated users.

You manage this configuration using the Site Manager > Security settings screen. However, if you prefer, it is also possible for you to set this through a direct update to the FWK_SiteSetting and FWK_ConfigSettings tables. The relevant columns are referenced below.

To configure the ‘I forgot my password’ feature:

  1. Log in to the portal as a member of the Administrators role.

  2. Click the user icon and select Site Manager from the drop-down menu.

    The system displays the Site Manager screen, with the Site settings tab selected.

  3. Click the Security settings tab.

  4. In the drop-down list at the top of the screen, select Forgot my password.

  5. Do either of the following as appropriate:

    • If you want to disable the feature, click the Enable the “Forgot My Password” button to display On. (This value corresponds with the EnableForgotPassword setting name in the FWK_SiteSetting table.)

    • To enable the feature, click the Enable the “Forgot My Password” button to display Off. As part of this, if you want to require a hint question, set the Require a hint question to On. (This value corresponds with the RequireHintQuestion setting name in the FWK_SiteSetting table.)

Activate Other Options Associated with the 'I Forgot My Password' Feature

If the Enable the “Forgot My Password” button is set to On, then other options become available and are displayed in the following sections:

  • Send reset password email directly to user: If this option is enabled by setting the button to On, users who forget their password will not need to enter their email address for confirmation before a Password Reset email is sent to them. In this case, entering a Username and clicking on the "Forgot My Password" link will automatically send a Reset Password email to the email address associated with the entered Username. The user will see a message telling them to check their email, along with a masked version of the address to which the email was sent (example: e*****s@yourschool.edu).

  • Notify user of incorrect email address: This option only becomes available when the Enable the "Forgot My Password" link option is set to On, and the Send reset password email directly to user option is set to Off.

    As part of the "Forgot my password" process, users are required to enter their email address in order to receive a Password Reset email. If this option is enabled by clicking the button to display On, and a user enters an email address that does not match their primary email address, the user will be informed and given a chance to try a different address. If this option is not enabled, the user will not be informed that the entered email address is incorrect; they will simply not receive a Password Reset email.

  • Forgot my password log cleanup: You can enter the number of days in the Purge forgot my password logs older than [number] days field.

Other_Options_Associated_with_the_I_Forgot_My_Password_Feature.png

Caution

Please carefully consider any security concerns before enabling the Send reset password email directly to user or Notify user of incorrect email address settings! For example, this would make it easier to guess the email address associated with a given username.

Specify the Required Length and Syntax of Passwords

Starting with the JICS 2024.1 Release, passwords are required to meet composition and length standards. Passwords that do not meet the requirements cannot be saved. Applicable validation messages display if the requirements are not met.

On a new JICS installation:

  • The default minimum password length is 8 characters.

  • The default maximum password length will be 100 characters.

On upgrades to JICS:

  • If the minimum password length is set to anything less than 8 characters, then it will be set to 8.

  • If the maximum password length is set to anything less than 100, then it will be set to 100.

On all JICS installs (including new installations and upgrades) and when a user changes their password:

  • Trying to set a password that contains the word "password" anywhere within it (including any type of capitalization) will result in a validation failure and the following error message: "The password cannot contain the word 'password' in any form." For example, a password of "123PaSsWoRd123" would never be allowed.

  • Trying to set a password that contains the current user's username anywhere within it (including any type of capitalization) will result in a validation failure and the following error message: "The password cannot contain your username in any form." For example, for a user with the username "ajones", a password of "123aJoNeS123" would not be allowed.

  • Trying to set a password that does not meet the requirements in another way, such as entering only 7 characters, will result in a validation failure and the following error message: "The password you entered does not meet requirements."

If desired, you can make the password requirements more stringent. You may also want to specify a required syntax for passwords.

You manage this configuration using the Site Manager > Security settings screen. However, if you prefer, it is also possible for you to set this through a direct update to the FWK_ConfigSettings table in the main JICS database. The relevant keys are noted below.

  1. Log in to the portal as a member of the Administrators role.

  2. Click the user icon and select Site manager from the drop-down menu.

    The system displays the Site Manager screen, with the Site settings tab selected.

  3. Click the Authentication settings tab.

    The Authentication settings screen displays.

  4. In the list of authentication methods, click the Edit link next to the default internal authentication method.

    Manage Authentication Methods section showing Edit link.

    The Edit Internal Method screen displays.

  5. Do any of the following as appropriate:

    • In the Minimum Password Length field, enter the minimum number of characters that should be allowed.

    • In the Maximum Password Length field, enter the maximum number of characters that should be allowed.

    These values correspond with the MaxPasswordLength and MinPasswordLength keys.

    Edit Internal Method screen displays Password fields.

  6. If desired, in the Password Validation Expression field, enter a regular expression that defines the syntax that you require for passwords. This expression is stored in the PasswordValidationExpression column. Note that this expression does affect the passwords generated by the "I forgot my password” feature.

    Note

    An informational message displays above the Save button as a reminder: "In addition to the above settings, passwords can never contain the current user's username, or the word 'password,' regardless of capitalization."

  7. Click Save.

Important

  • Along with the requirements above, all existing password validations continue to be in effect. These validation standards are all cumulative.

  • Changing these requirements did NOT affect any previously entered passwords and will only trigger validation when you enter or change existing users' passwords.

Reset a Password in AD LDS or ADAM

You may need to reset a password in AD LDS or ADAM for one of the following reasons:

  • If the owner of the “Administrator” user name has forgotten their password.

  • If you want to temporarily reset a password for some other reason. If the user’s account is portal-only, note that you can make the change using the Site Manager > Portal-only account creator screen, as described in Modify a Portal-Only User Account.

To reset a password in AD LDS or ADAM:

  1. Log in to the server hosting AD LDS or ADAM as someone with administrative privileges.

  2. Do one of the following:

    • For AD LDS: Choose Start > Administrative Tools > ADSI Edit.

    • For ADAM: Choose Start > All Programs > ADAM > ADAM ADSI Edit. The system displays the ADSI Edit console.

  3. In the panel on the left-hand side of the console, expand the tree as follows:

    0 = Jenzabar, C = US > CN = Portal > OU = Portal Users > CN = User name

    For example, if you were resetting the password for an individual with the user name Sarah, the navigation would look like this:

    Directory navigation to user name Sarah

  4. Right-click on the user name.

  5. In the pop-up menu, choose Reset Password.