This section provides information on the following:
When users first log in after SecureLogin is installed, they are prompted to enter a passphrase.
A passphrase consists of a passphrase question and a passphrase answer. The passphrase is used to verify and authenticate the user. The passphrase ensures that only the authorized user has access to that user's single-sign-on applications.
In standalone environments, a password is used instead of a passphrase. This password is required each time the user starts the workstation or SecureLogin for authentication.
NOTE: You can't manage passphrase security in standalone mode.
The passphrase should not be confused with the normal login. A passphrase is used to protect the user's single sign-on credential information.
For example, in a directory environment, a rogue administrator can potentially log in to the network as the user by resetting the network password. Whenever SecureLogin recognizes that tampering or an administrative password change has been performed on the user's account, SecureLogin prompts for the passphrase. Without knowing the passphrase, the rogue administrator can't access the user's applications that are enabled for single sign-on.
The passphrase question and answer help you access your login data in the following situations:
NOTE: For a passphrase to display properly on multi-byte platforms (for example, Japanese and Chinese), users must use single-byte characters when entering a passphrase.
If you use Novell SecretStore, a specially-designated SecretStore Administrator might unlock your directory-based data stores on your behalf. For more information, see "Setting Up a SecretStore Administrator" in the Novell SecretStore 3.3.3 Administration Guide.
You can provide preset passphrase questions for users to respond to, enable users to enter their own passphrase question, or do both.
By default, users can enter their own passphrase questions.
Passphrase questions can have up to 255 characters.
IMPORTANT: If a user forgets the passphrase answer, that user's object data must be deleted and the passphrase reset. This action means that the user loses all the SecureLogin data, including application login credentials. Therefore, because the passphrase question is infrequently asked, the passphrase answer should be one that the user can easily remember, but one that others can't easily guess.
Right-click a Container object, then click Properties.
You can provide passphrase questions for User objects, if a user has used SecureLogin and set a passphrase question.
Click Novell SecureLogin, then select Advanced Settings.
In the Passphrase Questions dialog box, click New.
Type a question, then click OK.
To edit a passphrase question, select it, click Edit, make changes, then click OK.
Click Apply.
Select Start > Administrative Tools > Active Directory Users and Computers.
Right-click the relevant container or OU (for example, Users).
Select Properties > SecureLogin SSO > Settings.
Click Advanced Settings, then click New.
Type a passphrase question in the Enter a Passphrase Question edit box.
Click OK.
The passphrase question displays to all users associated with the container or OU.
You can disallow user-set questions and require users to select a preset question.
When users first log in after installing SecureLogin, SecureLogin prompts them to select a passphrase question and type an answer. See How SecureLogin Uses Passphrases. You can edit that text and provide customized instructions for your organization.
Click Settings.
Select Customize Text for the Passphrase Setup Dialog Box, then click Edit.
NOTE: Because the primary data store is unavailable in standalone mode, many SecureLogin management features are not available in that mode.
Type text in the Value pane, then click OK.
Click Apply.
Test the text by logging in as a new test user.
By default, SecureLogin requires a passphrase answer that has at least six characters. To set additional requirements:
Click Settings.
Scroll to and select Use a Passphrase Policy.
In the Editing a Setting dialog box, require a passphrase policy by changing the value to Yes.
(Optional) To edit the passphrase policy, click Edit Policy.
Select a setting, then click Edit.
The following figure illustrates Basic passphrase policy settings that you can change:
To view advanced settings, select Advanced from the drop-down list. To view Basic and Advanced settings, select All from the drop-down list.
In the Editing a Setting dialog box, change the value, then click OK twice.
The Advanced settings for passphrase policies are the same as for password policies. See the table of default values in Creating or Editing a Password Policy.
Save the setting by clicking OK twice.