2.4 Accounts Tab

Use this to control the creation and functionality of accounts.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab

The Accounts tab contains the following panels:

The accounts tab lets you control accounts and manage access to Retain.

2.4.1 Account Management Panel

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Account Management Panel

Table 2-12 Using the Account Management Panel

Option, Field, or Sub-panel

Information and/or Action

Expire Unused Accounts after How Many Days

Specify how many days to keep unused accounts. Setting this to 0 disables account expiration.

Disable New Accounts option

Selecting this prevents the automatic creation of new accounts.

Prohibited Logins list

Prevent users from logging in to Retain by listing them here.

Remove Selected Address button

Select an address to remove from the list and click this button.

Address

Type the address to add in this field.

Add button

Click this to add the typed address to the list.

Password Strength: drop-down

Use this to specify password strength.

Expire unused accounts after how many days: Enabling this causes the removal of any account, including admin, that has not logged in for the set number of days (0=never expire)

Disable new accounts: will prevent new accounts from being enabled by default.

Prohibited logins: Block specific users from logging into Retain. Enter the username or email address and add or select and press Remove selected address.

Password strength

Open System vs. Closed System

Normally, Retain lets all mail system users log in. This is considered to be an “open” system. When that happens, Retain will check to see if a Retain account already exists and if not, it will create a new account for them and assign them to the group default.

Sometimes, you don’t want certain users to have access to the Retain archives. In this case, you may add these users to the list of Prohibited Logins. You do so by entering their name in the Address field and click “Add”.

To make a “closed” Retain system, simply click on “Disable New Accounts”. If you use this option, it means that you will have to manually create accounts in Retain for authorized users. In other words, the only people who can access your system will be people who you specifically create an account for.

In Retain, user accounts expire after 30 days of inactivity by default. You may choose the number of days or choose 0 for “accounts never expire”.

See “User Rights” for more information.

Password Strength

User-created passwords may be controlled for strength. By default, Retain accepts any password set by users. To require a higher security password, select the higher level desired. Requirements for the low, medium, and high settings are defined as:

Will accept any password

Low: Must be between 5 and 15 characters in length.

Medium: Must be between 5 and 20 characters in length, with at least 1 lower case characters, at least 1 upper case characters and at least 1 numerical characters.

High: Must be between 8 and 20 characters in length, with at least 2 lower case characters, at least 2 upper case characters, at least 2 numerical characters, and at least 2 special characters.. Also, the password will be checked against a dictionary.

2.4.2 NetIQ Advanced Authentication Configuration Panel

Retain supports multi-factor authentication for GroupWise and on-prem Exchange users through an integration with NetIQ Advanced Authentication.

You use this panel to connect the Retain server with the NetIQ system.

For information about the entire process of enabling multi-factor authentication on Retain, see Multi-factor Authentication Setup.

Figure 2-1 The NetIQ Advanced Authentication Configuration Panel

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > NetIQ Advanced Authentication Configuration Panel

Table 2-13 Using the NetIQ Advanced Authentication Configuration Panel

Option, Field, or Sub-panel

Information and/or Action

Enable Multi-factor Authentication checkbox

You must enable this for multi-factor authentication to work.

Server URL of AA Server field

The URL that this system uses to communicate with the Advanced Authentication server.

Client ID field

The Client ID generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Multi-factor Authentication Setup, Step 7

Client Secret field

The Client Secret generated for this Retain system when you create an OAuth2 event for it on the Advanced Authentication server. See Multi-factor Authentication Setup, Step 7

Tenant Name field

The default Tenant Name is TOP. If you created a different name, specify that here.

Redirect URI field

The URI path from the AA server to this Retain server. See Multi-factor Authentication Setup, Step 4

Test Login with Advanced Authentication button

When Retain and the Advanced Authentication server are configured and the system is ready, use this button to check that MFA is working as expected.

When prompted, log in as one of the users that you have enabled for MFA.

2.4.3 Office 365 End User Authentication Panel

Retain supports modern authentication through users entering their Office 365 credentials. This panel sets up the connection with Office 365. The entire setup procedure is documented in Providing OpenID Access (Modern Authentication) to Users in Retain 4.9.2: Archiving Guide.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Office 365 End User Authentication Panel

Table 2-14 Using the Office 365 End User Authentication Panel

Option, Field, or Sub-panel

Information and/or Action

Tenant ID field

This information is exposed when you complete the procedures described in Synchronizing the Address Book Using Office 365 (Microsoft GraphAPI) in Retain 4.9.2: Archiving Guide.

Client ID field

This information is exposed when you complete the procedures described in Synchronizing the Address Book Using Office 365 (Microsoft GraphAPI) in Retain 4.9.2: Archiving Guide.

Test Connection button

Click this to verify that the credentials you have entered are valid with your Office 365 system.

2.4.4 KeyShield SSO Panel

Retain supports the use of KeyShield SSO for users.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > KeyShield SSO Panel

Table 2-15 Using the KeyShield SSO Panel

Option, Field, or Sub-panel

Information and/or Action

Enable KeyShield SSO Authentication option

Select this to enable KeyShield SSO authentication.

KeyShield SSO Server URL

Specify the KeyShield server URL.

Connection Timeout (in seconds)

Specify the length of time a connection request remains active

User ID Alias

The alias id assigned to this server

API Key

The API key from KeyShield

Test Connection button

Click this to test the KeyShield connection.

To use the KeyShield client in coordination with Retain, Retain needs to have an open connection to the KeyShield server, the User ID alias, and the API key. Specify the KeyShield SSO Server URL, Alias, and API key. The Timeout is set in seconds, and may be anything required, 5 is recommended. Test the connection to ensure proper function.

When configured, Retain checks to see if the KeyShield client is running and if the user is currently logged in. If they are logged in, Retain checks the user against the specified KeyShield Server and then either fails authentication and sends users to the login page, or immediately passed them to their interface. The effect is that users who are already logged into the KeyShield client will not be required to login to Retain, but will be immediately taken to their appropriate interface.

2.4.5 Intruder Lockout Panel

Accounts can be locked if multiple failed attempts are detected within a specified window of time. This is useful to deny password cracking attempts on the server.

Path: Retain Server Manager > Configuration > Server Configuration > Accounts Tab > Intruder Lockout Panel

Table 2-16 Using the Intruder Lockout Panel

Option, Field, or Sub-panel

Information and/or Action

Enable Intruder Lockout option

Select this to enable intruder lockout protection.

Number of Invalid Login Attempts

Set the number of invalid login attempts before an account is locked.

Time Interval (minutes)

Specify how long the system allows access attempts.

If triggered, lock account for this period (minutes)

Specify how long the account is locked out.

Clear Lockouts button

Use this to clear locked accounts. (Doesn’t require saving.)

To enable Intruder Lockout, select the checkbox next to the ‘Enable Intruder Lockout’ option and save the changes. All changes will be immediate as soon as the save button is selected.

If a user has locked their account and requires immediate access to the system, all lockouts may be cleared. To clear any locked accounts, select the ‘clear lock outs’ button at the bottom of the page. There is no need to save changes; the clear command is immediate.