FootPrints supports
several modes of user/password authentication. You
have the option of using FootPrints'
internal encryption techniques, where FootPrints
maintains its own database of users and passwords. Alternatively,
FootPrints can let the web server
perform the authentication, or
can authenticate by interfacing with either an LDAP directory server or
the Windows user list on Windows, and UNIX/Linux user list on UNIX
systems.
FootPrints supports
the following methods of password verification for FootPrints users:
FootPrints
authentication (default)
LDAP authentication
Windows 2003/2008 authentication
(Windows 2003/2008 only)
UNIX authentication
(UNIX only)
Web Server Authentication
NOTE
When using web server authentication with the Customer Service Portal, the customer URL provided on the Customer Service Portal setup page will not bypass customer login. If a customer goes to the regular /footprints URL, they bypass the login correctly.
To administer authentication, select Administration | System from the FootPrints Toolbar, then select Authentication under Users in the main frame.
Each FootPrints
user may be assigned either the primary or secondary authentication method.
Only the assigned method is attempted when a user tries to authenticate.
If the
secondary authentication method selected is None,
all FootPrints users are authenticated
against the primary authentication method.
There are a variety of ways to add users to the system:
System
Administrators:
Manually from the
Administration
| Workspace | Users | Add Agents page.
Agents/Workspace
Administrators:
Manually from the
Administration
| Workspace | Users | Add Agents page.
Auto added to FootPrints
from the network password file (if 2003/2008, LDAP or UNIX authentication
is enabled). Refer to the Auto Add Customers
option under System Administration.
Customers can create
their own unique accounts and passwords (if FootPrints authentication
is enabled). This option is available on the Auto
Add Customers page only if FootPrints authentication is
enabled.
If unique IDs and
passwords are not required for customers, a single shared ID and password
can be created for all customers. Customers then identify themselves
by a single unique key (the primary key), such as Email
address. If an external authentication method is selected,
the shared ID must exist in the network password file.
Authentication Methods
FootPrints Authentication (default)
When FootPrints authentication is selected, the
FootPrints password file is checked when a user logs in (passwords
are encrypted).
FootPrints authentication includes password security features such as email notification on password change, enforced password complexity settings, preventing reuse of previous passwords, password lifetimes, and lockout on a number of incorrect login attempts.
Configure FootPrints Password Authentication
To configure FootPrints password authentication:
Select Administration
| System | Authentication from the FootPrints
Toolbar.
Select FootPrints Authentication from either the Primary or Secondary Authentication drop-down list.
Optionally, complete the Password Security Configurations section:
Password Change Notifications—Set the rules for notifications when a password is changed.
Notify users by email when their passwords change—Click the box to enable notification. When a user's password changes, FootPrints sends an email notifying the user that it was changed. Because the user's email address is in FootPrints, if someone other than the user changed the password, this notification reveals an improper change. Additional options are displayed when this is enabled. A dedicated email address that serves as a distribution list for system administrators is strongly recommended for notifications. This allows the list of system administrators to be maintained outside of FootPrints by whoever maintains other distribution lists.
System administrator emails are to be sent from—Use the drop-down to select the System Administrator who will be named in the email as the sender. If the user has a problem with the password change, the user can respond to the administrator via email.
Or enter real and email address of a FootPrints Administrator—You may wish to have someone other than a System Administrator act as the administrator for password security. Enter the real name and email address of this person in the fields provided. This allows administrators to use the email addresses of lists.
Password Complexity—If complexity requirements are enabled or changed, existing passwords that do not comply with the complexity rules are no longer valid. Users attempting to log in will receive an error message and be asked to set a new password.
Require Password Complexity—Enabling this option forces users to enter passwords that conform to the complexity rules. Rules are cumulative, which means that all rules that are enabled are enforced. Additional options are displayed when this is enabled.
Minimum password length and Maximum password length—Set the minimum and maximum number of characters that users can enter for their passwords. The smallest acceptable value for the Maximum Password Length is 8.
Require one or more alphabetic letters—Enabling this option means that any passwords selected by users must contain at least one letter from the English alphabet. All alphabet entries are case sensitive.
Require mixed case alphabetics—Enabling this option means that any passwords selected by users must contain at least one upper case and one lower case letter from the English alphabet.
Require one or more numeric digits—Enabling this option means that any passwords selected by users must contain at least one Arabic numeral (0,1,2,3,4,5,6,7,8,9).
Require one or more punctuation—Enabling this option means that any passwords selected by users must contain at least one keyboard symbol, such as @, %, &, and so on. Control characters are not permitted.
Password History—The password history saves the history of users' password changes and users' previous passwords.
Keep password history—Click the checkbox to enable password history. Deleting the entries in a user's password history is a way to expire a users password. Additional options are displayed when this is enabled.
Keep history for at least—Enter a number in the integer field and then use the drop-down field to set how long the history is maintained. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years.
Reuse limits: how many of the last passwords must be different—Determines how long a user must wait before reusing a password. For example, if the limit is set to three, then a user can enter a password that he or she has used before once the user has entered three interim passwords. Consider this sequence of passwords: A, B, C, D. If A is the first password, then the user must change passwords to B, then C, and then D before going back to use A. Disabling the minimum lifetime (described below) for passwords is not recommended if a password reuse limit has been set. A user could, by going through as series of dummy passwords, return to the original password if no minimum lifetime has been set for passwords. This would thwart the password reuse limit.
Password Lifetime—Set the minimum and maximum expiration periods for passwords.
Limit lifetime of passwords—Click the checkbox to enable password lifetime. Additional options are displayed when this is enabled.
Min. lifetime—Enter a number in the integer field and then use the drop-down field to set a minimum lifetime for passwords. Once a user changes a password, the password cannot be changed again until this period expires. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years. Disabling the minimum lifetime for passwords is not recommended if a password reuse limit (see above) has been set. A user could, by going through as series of dummy passwords, return to the original password if no minimum lifetime has been set for passwords. This would thwart the password reuse limit.
Max. lifetime—Enter a number in the integer field and then use the drop-down field to set a maximum lifetime for passwords. Passwords must be changed when this period expires. A user whose password has expired is prompted to change the password upon attempting to log in. Users with expired passwords cannot log in until they have changed their passwords. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years.
Login History—Sets the amount of time problem logins (failed login attempts) are tracked. Individual problem logins are eliminated from the history when the Login History period expires.
Keep login history—Click the checkbox to enable login history. Additional options are displayed when this is enabled.
Keep history for at least—Enter a number in the integer field and then use the drop-down field to set a maximum lifetime for problem login attempts. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years.
Login Lockout—A user with too many sequential problem logins in a given period gets a special “lock” entry in the login history. The lock prevents the user from logging in. Locked users remain locked until this time period passes or the “lock” notice falls off the end of the login history table. Locked out users can create or edit issues via email.
NOTE
A system administrator can override the lockout by going to the Administration | System | User Management page, selecting Edit User, selecting the user to edit, and then clicking the Unlocked checkbox at the bottom of the page. In the same way, a workspace administrator can override the lockout from Administration | Workspace | Edit Agents.
Lockout user after too many sequential bad login attempts in monitoring period—Click the checkbox to enable lockout. Additional options are displayed when this is enabled.
Bad attempts until lockout—Enter a number specifying how many failed sequential login attempts can be made before the user is locked out of FootPrints.
NOTE
Someone knowing a user's ID can, by making repeated bad login attempts, lock that user out (i.e., a Denial of Service Attack). This would not affect a user who is logged in when the bad login attempts occurred.
Length of lockout—Enter a number in the integer field and then use the drop-down field to set a maximum lifetime for the lockout. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years. Once the lockout period expires, the user can again attempt to log in.
Monitoring period—Enter a number in the integer field and then use the drop-down field to set the length of the monitoring period. If a user has too many bad sequential login attempts during this period and lockout is enabled, the user is locked out of FootPrints. Time periods available in the drop-down field are Minutes, Hours, Days, Weeks, Months, and Years. Once the lockout period expires, the user can again attempt to log in.
Enter your password and click Save to complete the configuration.
Windows Authentication
When Windows Authentication is selected, the Windows
domain password file is used authenticate a user’s password.
To configure Windows
Authentication:
Select Administration
| System | Authentication from the FootPrints
Toolbar.
Select Windows Authentication from either the Primary or Secondary Authentication drop-down list, then click GO.
Fill in the domain
name in the box provided. Multiple domains can be added; each must
be entered on a separate line.
Enter your Windows
network password and click Save.
Your ID and password are checked against
the domain password file. If either the ID or password isn’t
found, you receive an error message, and the change to NT authentication
is not made.
NOTE
A system administrator can lockout an individual user from the Administration | System | User Management page using the Edit User function. A locked user can be unlocked from the same page.
The network ID and FootPrints ID for every user
in FootPrints must be identical. For example, if the user’s
Windows domain ID is jsmith,
her FootPrints ID must also be jsmith.
This must be the case for all Agent and administrator users. If
you do not require unique IDs and passwords for your employee customers
or external customers, you can create a shared ID for all customers.
That shared ID must still be present in the network password file.
Refer to the section above for more information about how customer accounts
can be created in FootPrints.
Note
If the domain setup exists, the system correctly authenticates
against that domain. If
the domain does not exist and a guest account is enabled on the FootPrints server, any password authenticates.
To prevent
this from happening, the Guest account on the server must be disabled.
In addition,
if a guest account exists in the correctly specified domain, any login
also works with any password if the user does not exist in the domain.
LDAP Authentication
When LDAP authentication is selected, the LDAP server is used to authenticate a user’s password.
To configure LDAP
Authentication:
Select LDAP from the Primary or Secondary Authentication Method drop-down list.
Select LDAP Authentication from either the Primary or Secondary Authentication drop-down list, then click GO.
Enter the LDAP Authentication Attribute. The LSAP Authentication Attribute is the attribute against which the user is authenticated, for example, uid, samaccountname, or mail.
Enter the LDAP server address (e.g., abc.widget.com).
Enter the LDAP server port (389 is the standard port). An additional option for users beside the standard LDAP port (389) is the Global Catalog port for Active Directory (3268). This enables LDAP to access additional users from trusted domains using a set of common LDAP attributes. The typical scenario in which this would be used is when a large organization has a number of offices that each maintains an Active Directory for its local users. Using the standard port, you might be able to retrieve only a local office's users. Using the Global Catalog port, you can often retrieve everyone, assuming the search base is set correctly.
Enter the LDAP base DN (Distinguished Name). This is the search base for user IDs (samaccountname or uid). An example is: ou=Users, dc=server, dc=com
Optionally enter login information to allow authentication, including DN and password. This can be left blank if the LDAP server allows anonymous binding.
If multiple DNs exist, enter each on a separate line. They are searched in order for authentication from top to bottom.
Enter your FootPrints password and click Save.
Your ID and password are checked against the LDAP server. If either the ID or password is not found, you receive an error message and the change to LDAP authentication is not made.
NOTE
A system administrator can lockout an individual user from the Administration | System | User Management page using the Edit User function. A locked user can be unlocked from the same page.
The LDAP ID and FootPrints ID for every user in FootPrints must be identical. For example, if the user’s LDAP ID is bjones, the FootPrints ID must also be bjones. This must be the case for all Agent and administrator users. If you do not require unique IDs and passwords for your employee customers or external customers, you can create a shared ID for all customer. That shared ID must still be present in the LDAP password file. Refer to the section above for more information about how customer accounts can be created in FootPrints.
The next section of this document described how to configure LDAP security.
Configuring LDAP Security
Method of Security Used
By default, FootPrints communicates with LDAP via an unsecured connection. This topic describes how to use secured LDAP connections.
LDAP communication can be secured using Transport Layer Security (“TLS”). FootPrints uses a method called “Start TLS,” which means an initial connection is made to the LDAP server over a standard port (typically, 389). Then the connection is changed to a secured TLS connection over a standard LDAP port.
In addition to LDAPS, we have code to do an LDAP secured connection (“LDAPS”) over a secured port (typically, 636).
Setting Start TLS:
Select LDAPS from the LDAP Security Type drop-down.
Select the SSL Version (if unsure, stay with the default).
Select how you wish to handle Certificate Verification. “Require” means that FootPrints will not connect to the remote LDAP server unless the server offers a certificate, which can be compared to the certificate uploaded by the administrator. If they are the same, the connection will be made. This is the most secure method. “Optional” also requires that a certificate be uploaded, but a comparison is only made if the server offers a certificate. In the absence of the server providing a certificate, the connection will be made. “None” means that no checking of a certificate will be required and therefore no certificate must be uploaded. Although the connection will be secured, there is no verification that FootPrints is connecting with the correct server.
If selecting “Require” or “Optional” for Certificate Verification, either a previous certificate can be used or a new one uploaded. In either case, the certificate provided must be the certificate of the certificate authority ("CA") who signed the server's certificate in PEM (Base-64) format (this will be the server's own certificate if the certificate is self-signed) . The certificate can be in any directory on the FootPrints server and can have any name, so long as it is in pem format.
Setting LDAPS:
Select LDAPS from the LDAP Security Type drop-down.
Select how you wish to handle Certificate Verification. “Require” means that FootPrints will not connect to the remote LDAP server unless the server offers a certificate, which can be compared to the certificate uploaded by the administrator. If they are the same, the connection will be made. This is the most secure method. “Optional” also requires that a certificate be uploaded, but a comparison is only made if the server offers a certificate. In the absence of the server providing a certificate, the connection will be made. “None” means that no checking of a certificate will be required and therefore no certificate must be uploaded. Although the connection will be secured, there is no verification that FootPrints is connecting with the correct server.
If selecting “Require” or “Optional” for Certificate Verification, either a previous certificate can be used or a new one uploaded. In either case, the certificate provided must be the certificate of the certificate authority ("CA") who signed the server's certificate in PEM (Base-64) format (this will be the server's own certificate if the certificate is self-signed) . The certificate can be in any directory on the FootPrints server and can have any name, so long as it is in pem format.
NOTE
FootPrints secures only with server certificates, not client certificates.
Active Directory can use only LDAPS. (Refer to http://support.microsoft.com/?id=321051 for additional information.)
UNIX Authentication
When UNIX authentication is selected, the UNIX password
file is used to authenticate a user’s password. This option is only
available if FootPrints is installed on a UNIX or Linux server.
To configure UNIX
password authentication:
Select Administration
| System | Authentication from the FootPrints
Toolbar.
Select UNIX
from either the Primary or Secondary Authentication drop-down list, then click GO.
Enter your FootPrints
password and click Save.
Your ID and password
are checked against the UNIX password file. If either the ID or
password is not found, you receive an error message and the change to
UNIX authentication is not made.
NOTE
A system administrator can lockout an individual user from the Administration | System | User Management page using the Edit User function. A locked user can be unlocked from the same page.
No additional information needs to be defined; FootPrints
automatically finds the UNIX password file for the system. The UNIX
ID and FootPrints ID for every user in FootPrints must be
identical. For example, if the user’s UNIX ID is ebennet,
the FootPrints ID must also be ebennet.
This must be the case for all Agent and administrator users. If
you do not require unique IDs and passwords for your employee customers
or external customers, you can create a shared ID for all customers.
That shared ID must still be present in the UNIX password file.
Refer to the section above for more information about how customer accounts
can be created in FootPrints.
Web Server Authentication
In this method, password checking is handled by the web
server, not FootPrints.
To enable this feature:
Select Administration
| System | Authentication from the FootPrints
Toolbar.
Select Web
Server Authentication from the Primary Authentication Method drop-down list.
Click GO.
In order to put the
web server in charge of passwords, anonymous access must first be taken
away from the five FootPrints web aliases: "footprints", "MRcgi",
"help", "MRimg", and "tmp". If
the web server is dedicated to running just FootPrints,
you can disallow anonymous access on the whole site, instead of setting
permissions on each alias.
On Windows:
In
IIS, right-click the alias (or the whole site), go to its properties,
and disallow anonymous access.
On UNIX/Apache:
Use a .htaccess
file.
If anonymous access is disallowed, when the user tries
to access the FootPrints login:
If the user is logged
into the Windows domain where the web server runs, the user is considered
authenticated already
or
The user is prompted
for the network/web access name and password by a dialog spawned from
the web browser.
The user's password is authenticated according to the
configuration of the web server. The
FootPrints user ID must be identical to the user ID authenticated by the
web server or access is not granted.
NOTE
Login lockout does not work for web server authentication.
Note
If Web Authentication is used, it must be the only authentication
method; it cannot be combined with any other authentication method.
Switching Back to FootPrints Authentication
If Windows, LDAP, or UNIX authentication is chosen,
then new users are created in FootPrints
and the authentication method is switched back to FootPrints,
the users’ passwords default to their user IDs. Users who
were added to FootPrints before
switching to an alternative authentication method retain their original
FootPrints passwords.
Security Notes on Denial of Service Attacks
Someone knowing a user's ID can, by making repeated bad login attempts. This would not affect a user who is logged in when the bad login attempts occurred.