2.4 Accounts Tab

Use this to control the creation and functionality of accounts.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab

The Accounts tab contains the following panels:

The accounts tab lets you control accounts and manage access to Retain.

2.4.1 Account Management Panel

The settings in this panel affect all users in the Retain system, including those with accounts listed in the Users dialog and those found only in the archive’s Address Book.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Account Management Panel

Table 2-12 Using the Account Management Panel

Option, Field, or Sub-panel	Information and/or Action
Expire Unused Accounts after How Many Days	Setting this to 0 disables account expiration. Setting it to a different value causes any account, including the Admin account, to be removed when it has not logged in for the specified number of days. The default is 30 days.
Disable New Accounts option	By default, Retain is an open system, meaning that all users in the archive’s address book can log in. Retain checks to see if a Retain account already exists and if not, it creates a new account, encrypts their passwords, and assigns them to the default group. See Enabling this option makes Retain a closed system. prevents the automatic creation of new accounts when users log in to Retain for the first time. If you don’t want specific users to access the Retain archives, add them to the list of Prohibited Logins (below) To make a “closed” Retain system, simply click on “Disable New Accounts”. If you use this option, it means that you will have to manually create accounts in Retain for authorized users. In other words, the only people who can access your system will be people for whom you specifically create an account.
Prohibited Logins list	You can block individual users from logging in to Retain by adding them here.
Remove Selected Address button	Select an address to remove from the list and click this button.
Address	Type the address to add in this field.
Add button	Click this to add a typed address to the list.
Password Strength: drop-down	Use this to specify password strength for a user account. Settings on a back-end messaging system override this. User-created passwords can be required to meet specific requirements. Will accept any password: The default setting. Low: Must be between 5 and 15 characters in length. Medium: Must be between 5 and 20 characters in length, with at least 1 lowercase character, at least 1 uppercase character, and at least 1 numerical character. High: Must be between 8 and 20 characters in length, with at least 2 lowercase characters, at least 2 uppercase characters, at least 2 numerical characters, at least 2 special characters, and must not be a dictionary word.

2.4.2 NetIQ Advanced Authentication Configuration Panel

Depending on the identity stores configured in NetIQ Advanced Authentication, Retain supports multi-factor authentication for any combination of Retain users.

You use this panel to connect the Retain server with the NetIQ system.

For information about the entire process of enabling multi-factor authentication on Retain, see Configuring Retain for NetIQ Advanced Authentication MFA Support.

Figure 2-1 The NetIQ Advanced Authentication Configuration Panel

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > NetIQ Advanced Authentication Configuration Panel

Table 2-13 Using the NetIQ Advanced Authentication Configuration Panel

Option, Field, or Sub-panel	Information and/or Action
Enable Multi-factor Authentication checkbox	You must enable this for multi-factor authentication to work.
Activate LDAP Service checkbox	You must enable the checkbox to activate Retain’s User Account LDAP service. Port: This is for LDAP communications between Retain and the NetIQ Advanced Authentication server. The default port is 8082, but you can specify an alternate. Make sure there is are no port conflicts and that the firewall allows traffic through the port. Password: Use the Retain-generated Password or an alternate you have specified when configuring the AA server to connect with Retain. Copy-password Icon: Use this to copy the Retain-generated password to your clipboard. Specify the following when creating the repository for Retain’s User Account LDAP service: Type: eDirectory Base DN: OU=users, O=retain User: cn=retainldap Password: Copy the password to your clipboard by clicking the copy-password icon to the right of the password field. Paste the password from the clipboard when creating the repository in NetIQ AA.
Server URL of AA Server field	The URL that this system uses to communicate with the Advanced Authentication server.
Client ID field	The Client ID generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 7
Client Secret field	The Client Secret generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 7
Tenant Name field	The default Tenant Name is TOP. If you created a different name, specify that here.
Redirect URI field	The URI path from the AA server to this Retain server. See Configuring Retain for NetIQ Advanced Authentication MFA Support, Step 4
Test Login with Advanced Authentication button	When Retain and the Advanced Authentication server are configured and the system is ready, use this button to check that MFA is working as expected. When prompted, log in as one of the users that you have enabled for MFA.

2.4.3 Office 365 End User Authentication Panel

Retain supports modern authentication through users entering their Office 365 credentials to access Retain. This panel sets up the connection with Office 365. The entire setup procedure is documented in Providing Retain Users with Access Through Their Office 365 Accounts in Retain 4.10: Archiving Guide.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Office 365 End User Authentication Panel

Table 2-14 Using the Office 365 End User Authentication Panel

Option, Field, or Sub-panel	Information and/or Action
Tenant ID field	This information is exposed when you complete the procedures described in Synchronizing the Address Book Using Office 365 (Microsoft GraphAPI) in Retain 4.10: Archiving Guide.
Client ID field	This information is exposed when you complete the procedures described in Synchronizing the Address Book Using Office 365 (Microsoft GraphAPI) in Retain 4.10: Archiving Guide.
Test Connection button	Click this to verify that the credentials you have entered are valid with your Office 365 system.

2.4.4 KeyShield SSO Panel

Retain supports the use of KeyShield SSO for users.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > KeyShield SSO Panel

Table 2-15 Using the KeyShield SSO Panel

Option, Field, or Sub-panel	Information and/or Action
Enable KeyShield SSO Authentication option	Select this to enable KeyShield SSO authentication.
KeyShield SSO Server URL	Specify the KeyShield server URL.
Connection Timeout (in seconds)	Specify the length of time a connection request remains active
User ID Alias	The alias id assigned to this server
API Key	The API key from KeyShield
Test Connection button	Click this to test the KeyShield connection.

To use the KeyShield client in coordination with Retain, Retain needs to have an open connection to the KeyShield server, the User ID alias, and the API key. Specify the KeyShield SSO Server URL, Alias, and API key. The Timeout is set in seconds, and may be anything required, 5 is recommended. Test the connection to ensure proper function.

When configured, Retain checks to see if the KeyShield client is running and if the user is currently logged in. If they are logged in, Retain checks the user against the specified KeyShield Server and then either fails authentication and sends users to the login page, or immediately passed them to their interface. The effect is that users who are already logged into the KeyShield client will not be required to login to Retain, but will be immediately taken to their appropriate interface.

2.4.5 Intruder Lockout Panel

Accounts can be locked if multiple failed attempts are detected within a specified window of time. This is useful to deny password cracking attempts on the server.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Intruder Lockout Panel

Table 2-16 Using the Intruder Lockout Panel

Option, Field, or Sub-panel	Information and/or Action
Enable Intruder Lockout option	Select this to enable intruder lockout protection.
Number of Invalid Login Attempts	Set the number of invalid login attempts before an account is locked.
Time Interval (minutes)	Specify how long the system allows access attempts.
If triggered, lock account for this period (minutes)	Specify how long the account is locked out.
Clear Lockouts button	Use this to clear locked accounts. (Doesn’t require saving.)

To enable Intruder Lockout, select the checkbox next to the ‘Enable Intruder Lockout’ option and save the changes. All changes will be immediate as soon as the save button is selected.

If a user has locked their account and requires immediate access to the system, all lockouts may be cleared. To clear any locked accounts, select the ‘clear lock outs’ button at the bottom of the page. There is no need to save changes; the clear command is immediate.