Use this to control the creation and functionality of accounts.
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab
The Accounts tab contains the following panels:
The accounts tab lets you control accounts and manage access to Retain.
The settings in this panel affect all users in the Retain system, including those with accounts listed in the Users dialog and those found only in the archive’s Address Book.
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Account Management Panel
Table 2-12 Using the Account Management Panel
Option, Field, or Sub-panel |
Information and/or Action |
---|---|
Expire Unused Accounts after How Many Days |
Setting this to 0 disables account expiration. Setting it to a different value causes any account, including the Admin account, to be removed when it has not logged in for the specified number of days. The default is 30 days. |
Disable New Accounts option |
By default, Retain is an Enabling this option makes Retain a If you don’t want specific users to access the Retain archives, add them to the list of Prohibited Logins (below) To make a “closed” Retain system, simply click on “Disable New Accounts”. If you use this option, it means that you will have to manually create accounts in Retain for authorized users. In other words, the only people who can access your system will be people for whom you specifically create an account. |
Prohibited Logins list |
You can block individual users from logging in to Retain by adding them here. |
Remove Selected Address button |
Select an address to remove from the list and click this button. |
Address |
Type the address to add in this field. |
Add button |
Click this to add a typed address to the list. |
Password Strength: drop-down |
Use this to specify password strength for a user account. Settings on a back-end messaging system override this. User-created passwords can be required to meet specific requirements.
|
Depending on the identity stores configured in NetIQ Advanced Authentication, Retain supports multi-factor authentication for any combination of Retain users.
You use this panel to connect the Retain server with the NetIQ system.
For information about the entire process of enabling multi-factor authentication on Retain, see Configuring Retain for NetIQ Advanced Authentication MFA Support.
Figure 2-1 The NetIQ Advanced Authentication Configuration Panel
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > NetIQ Advanced Authentication Configuration Panel
Table 2-13 Using the NetIQ Advanced Authentication Configuration Panel
Option, Field, or Sub-panel |
Information and/or Action |
---|---|
Enable Multi-factor Authentication checkbox |
You must enable this for multi-factor authentication to work. |
Activate LDAP Service checkbox |
You must enable the checkbox to activate Retain’s User Account LDAP service.
Specify the following when creating the repository for Retain’s User Account LDAP service:
|
Server URL of AA Server field |
The URL that this system uses to communicate with the Advanced Authentication server. |
Client ID field |
The Client ID generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 7 |
Client Secret field |
The Client Secret generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 7 |
Tenant Name field |
The default Tenant Name is TOP. If you created a different name, specify that here. |
Redirect URI field |
The URI path from the AA server to this Retain server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 4 |
Test Login with Advanced Authentication button |
When Retain and the Advanced Authentication server are configured and the system is ready, use this button to check that MFA is working as expected. When prompted, log in as one of the users that you have enabled for MFA. |
Retain supports modern authentication through users entering their Office 365 credentials to access Retain. This panel sets up the connection with Office 365. The entire setup procedure is documented in Providing Retain Users with Access Through Their Office 365 Accounts
in Retain 4.10: Archiving Guide.
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Office 365 End User Authentication Panel
Table 2-14 Using the Office 365 End User Authentication Panel
Option, Field, or Sub-panel |
Information and/or Action |
---|---|
Tenant ID field |
This information is exposed when you complete the procedures described in |
Client ID field |
This information is exposed when you complete the procedures described in |
Test Connection button |
Click this to verify that the credentials you have entered are valid with your Office 365 system. |
Retain supports the use of KeyShield SSO for users.
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > KeyShield SSO Panel
Table 2-15 Using the KeyShield SSO Panel
Option, Field, or Sub-panel |
Information and/or Action |
---|---|
Enable KeyShield SSO Authentication option |
Select this to enable KeyShield SSO authentication. |
KeyShield SSO Server URL |
Specify the KeyShield server URL. |
Connection Timeout (in seconds) |
Specify the length of time a connection request remains active |
User ID Alias |
The alias id assigned to this server |
API Key |
The API key from KeyShield |
Test Connection button |
Click this to test the KeyShield connection. |
To use the KeyShield client in coordination with Retain, Retain needs to have an open connection to the KeyShield server, the User ID alias, and the API key. Specify the KeyShield SSO Server URL, Alias, and API key. The Timeout is set in seconds, and may be anything required, 5 is recommended. Test the connection to ensure proper function.
When configured, Retain checks to see if the KeyShield client is running and if the user is currently logged in. If they are logged in, Retain checks the user against the specified KeyShield Server and then either fails authentication and sends users to the login page, or immediately passed them to their interface. The effect is that users who are already logged into the KeyShield client will not be required to login to Retain, but will be immediately taken to their appropriate interface.
Accounts can be locked if multiple failed attempts are detected within a specified window of time. This is useful to deny password cracking attempts on the server.
Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Intruder Lockout Panel
Table 2-16 Using the Intruder Lockout Panel
Option, Field, or Sub-panel |
Information and/or Action |
---|---|
Enable Intruder Lockout option |
Select this to enable intruder lockout protection. |
Number of Invalid Login Attempts |
Set the number of invalid login attempts before an account is locked. |
Time Interval (minutes) |
Specify how long the system allows access attempts. |
If triggered, lock account for this period (minutes) |
Specify how long the account is locked out. |
Clear Lockouts button |
Use this to clear locked accounts. (Doesn’t require saving.) |
To enable Intruder Lockout, select the checkbox next to the ‘Enable Intruder Lockout’ option and save the changes. All changes will be immediate as soon as the save button is selected.
If a user has locked their account and requires immediate access to the system, all lockouts may be cleared. To clear any locked accounts, select the ‘clear lock outs’ button at the bottom of the page. There is no need to save changes; the clear command is immediate.