General: password functionality and two-factor authentication

<< Click here to display Table of Contents >> Navigation: Axiell Designer > General topics:

Change/reset password functionality and two-factor authentication

Contents

The optional password changing and resetting functions and two-factor authentication usually need to be set up before they are accessible and functional. Although two-factor authentication and password resetting are separate functions, they use the same authentication service functionality and may share certain settings in the adlib.pbk. To users, the three functions appear as follows:

•

A Change password option may be present in the Account menu to allow users to change their password in the Collections interface if they still know their current password. This option will be visible by default if your Collections installation uses the Adlib database authentication method, but has to be set up to become visible if your Collections installation uses the Active Directory authentication method.

ChangePasswordOption

•

The Axiell Collections login screen may present the user with an option to reset his or her password, which comes in handy if the user forgot what it was. After clicking the Forgot your password link, a dialog will open in which you must enter your Collections user name and click the Request new password button: this will send an e-mail with a unique code to the user's e-mail address. In the next login dialog the user will have to enter this code within 10 minutes and click the Confirm code button. This will open another login dialog in which the user can enter a new password of choice: the user will have to enter it twice and click the Reset password button to finish the procedure.
The Forgot your password option will be visible only if the functionality has been set up properly (see below).

ResetPasswordLink

•

If set up properly, Collections can offer two-factor authentication as an extra security measure. This means that after entering login details and clicking the Sign in button, an e-mail with an authetication code is sent to the user's e-mail address. This code, which can only be used once, must then be entered in the second login dialog within 10 minutes.

TwoFactorDialog1

__________________________

An e-mail template for the two-factor authentication and password resetting functionality

Both functionalities send e-mails and you have control over the text in those e-mails. These texts must be stored in an .html file per interface language, which must all be placed in the Axiell folder containing the application .pbk file. The different translations of the template must be indicated by a language number at the end of the file name, like is custom for Collections print templates and system text files (English = 0, Dutch = 1, French = 2, German = 3, Arabic = 4, Italian = 5, Greek = 6, Portuguese = 7, Russian = 8, Swedish = 9, Hebrew = 10, Danish = 11, Norwegian = 12, Finnish = 13 and Chinese = 14). The template files for password resetting must be named PasswordResetEmail#.html (where # must be replaced by a language number, while the files for two-factor authentication must be named TwoFactorEmail#.html.

Examples for both HTML files are:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
Login authentication code
For securtiy reason please use the code below to sign in into Axiell Collections.
Your code is: [CODE]
This code is valid for 10 minutes.
If you did not request the login please ignore this email.
Kind regards,
Axiell
</body>
</html>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
Password reset code
You requested a password reset for your Axiell Collections account.
Please use this code to confirm your password request in Axiell Collections.
Your code is: [CODE]
This code is valid for 10 minutes.
If you did not request a password reset please ignore this email.
Kind regards,
Axiell
</body>
</html>

You can copy this code and change it at will, but leave the [CODE] parameter in there because that will automatically be replaced by an actual code for the user to enter in the relevant Collections dialog.

__________________________

Setup of password resetting/changing functionality with Active Directory authentication

By default the Collections application pool user (when it is an Active Directory Service Account) is not allowed to manage user passwords. Therefore you need to "delegate" this management to that user in Active Directory: of course you need to have Domain Administrator rights yourself to be able to do this. (If you don't have these rights, please contact your system administrator.)

In Active Directory right-click the OU (organization unit) in which the Collections users have been set up: then (if you have rights to delegate) select Delegate control in the pop-up menu. In the dialog which opens, click the Add button, search for the applicable IIS Service Account (that is used for Collections), select it and click Next. Then select the task you wish to delegate. This should be the Reset user passwords and force password change at next logon task. Click Next and finish the delegation.

DelegationDialog

Enabling the Change password option for Active Directory authentication

1.	First make sure that the <PasswordChangeAllowed>true</PasswordChangeAllowed> setting is present in the <LdapConfiguration> in your Collections settings.xml file.

2.	Then check if the Authentication method on the Application authentication properties tab is set to Active directory.

Together with password control delegation (see above) this will allow users to change their Collections password via the Change password option in the main menu.

Enabling the Forgot your password functionality for Active Directory authentication

1.	First make sure that the <PasswordChangeAllowed>true</PasswordChangeAllowed> setting is present in the <LdapConfiguration> in your Collections settings.xml file.

2.	Then check if the Authentication method on the Application authentication properties tab is set to Active directory.

3.	On the same properties tab you need to set the SMTP settings so that Collections knows which e-mail server to use for sending the e-mails.

The Forgot your password feature then needs to be switched on in the Collections settings.xml file via the <PasswordReset>true</PasswordReset> setting in the relevant <AlmSettings> section. This will enable the functionality and will display the Forgot your password? link in the login dialog. If you are now setting it from false to true, remember to recycle the application pool for Collections.

5.	Also make sure there are one or more PasswordResetEmail#.html templates present in the folder containing the .pbk file.

Together with password control delegation (see above) this will allow users to reset their Collections password via the Forgot your password option in the login dialog.

(If this isn't working straight away, try testing this functionality first on the localhost of the web server.)

Setup of two-factor authentication with Active Directory authentication

1.	First check if the Authentication method on the Application authentication properties tab is set to Active directory.

2.	On the same properties tab you need to set the SMTP settings so that Collections knows which e-mail server to use for sending the e-mails.

3.	Also set the (Two factor authentication) Provider option on the same tab to Email. (None disables the functionality and the other options are not functional yet.)

4.	Also make sure there are one or more TwoFactorEmail#.html templates present in the folder containing the .pbk file.

This will activate two-factor authentication for users. (Password control delegation is not required for this function.)

__________________________

Setup of password resetting/changing functionality with Adlib database authentication

Enabling the Change password option for Adlib database authentication

Simply check if the Authentication method on the Application authentication properties tab is set to Adlib database. This will allow users to change their Collections password via the Change password option in the main menu.

Enabling the Forgot your password functionality for Adlib database authentication

1.	Check if the Authentication method on the Application authentication properties tab is set to Adlib database.

2.	On the same properties tab you need to set the SMTP settings so that Collections knows which e-mail server to use for sending the e-mails.

Leave the Authentication server option empty to use the current Collections instance for authentication or enter the URL to a separate Collections application. If you use a separate Collections installation as the authentication server (typically for entreprise applications), the IIS application name must be followed by /Authentication (the controller name), e.g. http://ourmuseum.com/CollectionsAuthentication/Authentication. See the Authentication server option for more information.

5.	Also make sure there are one or more PasswordResetEmail#.html templates present in the folder containing the .pbk file.

This will allow users to reset their Collections password via the Forgot your password option in the login dialog.

Setup of two-factor authentication with Adlib database authentication

1.	First check if the Authentication method on the Application authentication properties tab is set to Adlib database.

2.	On the same properties tab you need to set the SMTP settings so that Collections knows which e-mail server to use for sending the e-mails.

4.	Also set the (Two factor authentication) Provider option on the same tab to Email. (None disables the functionality and the other options are not functional yet.)

5.	Also make sure there are one or more TwoFactorEmail#.html templates present in the folder containing the .pbk file.

This will activate two-factor authentication for users.