6.3 Using Forgotten Password Self-Service

You can use the Password Policy Wizard in iManager to create a Password policy, which provides users with the ability to recover from a forgotten password without contacting the help desk.

The following features are supported:

IMPORTANT:Before using Password Self-Service, review the information about Managing Passwords by Using Password Policies in the Novell Password Management Administration Guide.

Other applications that use the Universal Password might be able to use additional features, such as Reset Self-Service and Challenge Sets.

6.3.1 Using the “Did You Forget Your Password?” Link

When you click the Did you forget your password? link in the Login dialog box, the system invokes the Forgotten Password Policy specific to the user. The following three options are supported by the Client:

  • Display a password hint.

  • Authenticate via Challenge/Response and show a password reminder (requires eDirectory 8.8 or later).

  • Authenticate via Challenge/Response and reset the password.

    NOTE:The Client does not support forgotten actions that involve e-mailing the password or the hint to the user.

Figure 6-4 Client Login Dialog Box

NOTE:The Client prompts users to populate the Challenge/Response set if they log in and the sets have not been entered.

The workstation administrator can choose to display or not display the Did you forget your password? link on the Login dialog box.

  1. Right-click the Client Tray icon, then click Client Properties.

  2. Click the Advanced Login tab.

  3. Set the Forgotten Password Prompt option to On or Off.

Before the Did you forget your password? link can work, you must complete the following:

If you click the link before Password Self-Service is set up, you receive an error. If the administrator changed or set up a new policy, you are prompted on log in.

IMPORTANT:Not all features of Forgotten Password Self-Service are implemented with the Client at this time, including e-mailing passwords and hints.

Configuring Password Self-Service

Before users can use the Did you forget your password? link, the administrator must configure Password Self-Service and the user must enter the optional information (password hint or responses to challenge questions). The administrator should also upgrade to eDirectory 8.8 or later. See Password Self-Service in the Novell Password Management Administration Guide for more information.

Configuring Challenge/Response Settings

After the administrator configures the challenge sets and password policies, users need to provide their information for the challenge sets in either of the following two ways:

  • Right-click the Client Tray icon (Client tray application icon), then click User Administration > Challenge/Response Administration. Depending on how the administrator configured the challenge sets, users enter their information in the dialog boxes presented. For example, if the administrator specifies four questions in the challenge set, users enter information in four different dialog boxes.

    Figure 6-5 Sample Challenge/Response Dialog Box

  • If the administrator selected the Force user to configure Challenge Questions and/or Hint upon authentication option on the Forgotten Password page in iManager, the client prompts users to enter this information when they log in and their challenge set information is missing or out of date.

    Figure 6-6 Forgotten Password Page in iManager

The challenge/response questions allow for any response, such as a word, a sentence, or a phrase. Because it might be difficult to correctly type a phrase or sentence when the text is hidden, answers are not hidden with asterisks by default, like passwords usually are. However, as an added layer of security, you can configure the challenge/response LCM to hide the user’s responses to the challenge questions. For example, when this functionality is enabled, instead of the user’s response reading “my son charlie” in plain text, the response reads “** *** *******.”

To configure the challenge/response LCM to hide the user’s responses to the challenge questions:

  1. Create the following registry key:

    HKLM\SOFTWARE\Novell\NMAS\MethodData\challenge_response

  2. Create a DWORD registry value named mask_responses, and set it to one of the following values:

    0 - FALSE, don’t mask responses (default value)

    1- TRUE, mask responses

If a user forgets the answers to his or her challenge/response questions, the Client does provide a way to reset the answers. Right-click , then click User Administration for > Challenge/Response Administration. The user can then enter new responses in the dialog boxes presented.

6.3.2 Using Hints for Remembering Passwords

If you specify a Forgotten Password Action that requires a password hint, users are required to enter a hint that is a reminder of their password. The password hint is checked to make sure that it does not contain the user’s password. Users must enter a new hint every time they change a password.

Figure 6-7 Change Password Dialog Box

If a user clicks the Did you forget your password? link in the Login dialog box, the user is asked to answer their challenge questions. When the series of challenge questions is answered correctly, a dialog box containing the password hint is displayed.

Figure 6-8 Forgotten Password Hint Dialog Box

If a user enters an erroneous password, the login program displays a message with a prompt to retype the password or click the Did you forget your password? link.

Figure 6-9 Password Error Dialog Box

If the policy action is to show a hint but the user did not enter a hint for the current password, an error message is displayed telling the user to contact the system administrator to reset the password and to enter a hint the next time the password is set.

Figure 6-10 Forgotten Password Error Dialog Box

Users can also create a hint at any time using the Change Password window available at login, or by pressing Ctrl+Alt+Delete, then clicking Change Password.

Figure 6-11 Change Password Dialog Box