This issue has been addressed in Notes/Domino 6. In Notes/Domino 6,
password history is customizable in the "Password Management" tab inside
the Security Policy.
Note While the details below will
cause users to be prompted to change their passwords these steps will
not actually force users to change their passwords; the user may still
hit the Cancel button in the Set Password dialog box. This information
is noted in the following document: "Users Are Not Forced to Change
Their Passwords After the Grace Period Expires" (# 174865). In Notes
Domino 6.0 additional functionality was added to force users to change
their Internet password. This option is described below.***********************************************
To set up Domino to prompt users to change their passwords, perform the following steps:
Part I
1. First, the administrator must enable password checking on each server
with which these users authenticate. To do this, open each Server
document in the Domino Directory (names.nsf) and next to the Check
Passwords on Notes in the Security section, select Enabled.
2. Save and Restart that server after the change.
3. Make sure that Administration Process is set up in the Notes domain.
Part II
Next, the administrator (with at least Author access and UserModifier
role) opens the People view of the NAB, on the Administration Server:
1. Select Check Password in the Administration section of each user's Person document.
2. Open the Public NAB, selected Person document(s) from the Actions menu, select Set Password Fields.
3. Select Check password. This enables and populates the digest field if it has not already been done.
4. (Optional) Next to Required Change Interval, enter the number of days
at which point the users must provide a new password to authenticate
with servers that check passwords. The default is 0. You do not need
to require password changes.
5. (Optional) Next to Grace Period, indicate the number of days after a
required change interval that users have to change their passwords
before being locked out from servers that check passwords. The default
is 0.
Example:
Check Notes Password: Check password
Required Change Internal: 150 (days)
Allowed Grace Period: 31 (days)
On Domino 6 Address Book design, there is additional option as: Force User to Change Internet Password on Next Login
Caution
Do not enable password expiration for users whose ID files are locked
with Smartcards. Otherwise, it is possible that a user's ID could be
locked out until password expiration can be cleared. You should also be
sure that the required change interval and allowed grace period is set
at zero.
6. Save these changes and you will be prompted "The Request has Been
Successfully Submitted to the Administration Request Database."
7. Allow Address Book and Admin4 replication to take place immediately.
Next, open that Person document's properties. $UpdatedBy will show the
administrator name and PasswordDigest Field as empty.
8. Open the Admin4.nsf database. This will generate a "Set Password Information" document in the All Requests by Name view.
9. When that person authenticates with his/her home/mail server, the
following message will display: "WARNING: Your Password Will Expire on
09/17/2002."
10. After the new password is updated, there will be a new document in
the Admin4.nsf database: "New Change User Password in Address Book".
11. Check the Lastchangedate fields on the Person document. The
PasswordDigest Field has an entry, $UpdatedBy will contain server name
and $Revisions has date/time stamp.
NOTE: many of these field/options only shown on edit mode.
12. If that user attempts to use a backup User.ID with an old password
and accesses the home server, the following warning message will
display: "You Have a Different Password on Another Copy of Your ID File
and You Must Change the Password of This Copy to Match".
More information about checking passwords during authentication
You can enable password checking so that users can only authenticate
with a server by providing the correct password. If an unauthorized
person uses an ID, the owner of the ID can change the password to
prevent the person from continuing to use it to authenticate. To set up
password checking, you enable this feature in both Person and Server
documents in the Public Address Book. After you do this, the first time a
user logs onto the server the Administration Process generates a Change
User Password in Address Book request in the Administration Requests
database. This request adds a password digest that corresponds to the
user password to the Person document. From then on the user must provide
the password that corresponds to the digest to authenticate with
servers on which you've enabled password checking.
If you set up password checking, you can specify a required change
interval that requires users to change the passwords on their IDs at the
interval. Notes prompts a user as the time for a required password
change approaches. The user responds by creating a new password which
generates a new Change User Password in Address Book request to add the
new password digest to the Person document.
If you require password changes, you can specify a grace period that
indicates how long after the expiration of a password change interval
the user has to change a password before being unable to authenticate
with servers which require password checking. This is useful way to
automatically deny server access to inactive users, for example users
who are no longer with your organization.
If password checking is enabled on a server, you can also lock out
specific users from the server to prevent them from authenticating.
How the Administration Process enables password checking
When you enable password checking for a user, the Administration Process
creates a Set Password Information request in the Administration
Requests database which it carries out according to the Interval setting
in the Administration Process section of the Server document. This
request enables password checking by filling in the Check password,
Required change interval, and Grace period fields in the Administration
section of the user's Person document.
The first time the user logs onto a server that requires password
checking, the Administration Process generates a Change User Password in
Address Book request in the Administration Requests database. This
request adds a password digest corresponding to the user password to the
Password digest field in the Public Keys section of the Person
document. It also records the date the user provided the password in the
Last change date field in the Administration section of the Person
document. The user must then provide the password that corresponds to
the digest to authenticate with servers on which you've enabled password
checking.
When a user changes a password, the Administration Process generates a
new Change User Password in Address Book request in the Administration
Requests database, which updates the Password digest and Last change
date fields.
Required change intervals and grace periods
To check users' passwords during authentication without requiring them
to change their passwords, enter 0 in the Required change interval
field. If you enter 0, Notes ignores any grace period specified.
If a required change interval expires without a user changing a
password, the user can't authenticate with servers that require password
checking until the user creates a new password. If a grace period
expires and the user still hasn't changed the password, the user can't
authenticate until the administrator deletes manually the data in the
password digest field from the Person document and then the user creates
a new password. The default grace period allows users virtually
unlimited time to change their passwords after a change interval
expiration.
An expired password doesn't prevent a user from reading encrypted mail
from a local replica of a mail file or creating new signed documents.
If someone with unauthorized access to an ID changes a password on it
before the legitimate owner of the ID, the owner can't authenticate and
sees the message "You have a different password on another copy of your
ID file and you must change the password on this copy to match." In
this case, delete the password digest and have the legitimate owner
immediately log on and provide a new password.
Obsolete passwords
Once you enable password checking for a user, Notes keeps a record of up
to 50 passwords previously used and these can't be used again. An
enhancement request has been submitted to Lotus Quality Engineering to
reduce the number of previously used passwords that Domino remembers
(SPR DBEN456QRK).
Multiple copies of an ID
If a user has multiple copies of an ID with different passwords, the
password on the ID first used to log on to a server after password
checking is enabled is the only one that is valid.
Multi-password ID files
Don't enable password checking on multi-password ID files; if you do,
authentication fails with servers enabled for password checking.
|
