5.2 Configuring Password Policy for a Profile

You can configure password policy for specific group of users by using the password policy profile. You can create different profiles for different group of users so that, specified password policy is applied for each profile. Based on the policy specified for users, SSPR generates the text displaying change password policy. To customize this text, the Password Rule Text setting is used, which overwrites the SSPR auto-generated text.

To configure password policy for a specific profile, perform the following steps:

  1. Click Profiles > Password Policy Profiles > default.

  2. (Conditional) If you want to create different profiles for different set of users, click Edit List then on the right pane add the profile names to the list by using Add Profile.

    SSPR does not allow changing the name of the profile.

  3. In the Add Value field enter the profile name.

    The profile name must have the following format:

    • Start with a letter (a-Z)

    • Contain only letters, numbers, and hyphens

    • Length between 2 and 15 characters

    You can include multiple profiles. During authentication, SSPR searches for the default profile first, and then the other profiles in the order mentioned.

  4. Select the appropriate profile name.

  5. Configure the following settings:

    Field

    Description

    Password Policy Profile Match

    Specify the query that matches specific users for the specified profile. You can query by using Add Filter that will include the object class, and by using Add Group that will include the LDAP group.

    Minimum Length

    Specify the minimum length of password. Specify zero to disable this feature.

    Maximum Length

    Specify the maximum length of password. Specify zero to disable this feature.

    Maximum Repeat

    Specify the maximum number of times a character can be repeated in the password. This is case-insensitive. Specify zero to disable this feature.

    Maximum Sequential Repeat

    Specify the maximum number of times a character can be repeated sequentially in the password. This is case-insensitive. Specify zero to disable this feature

    Allow Numeric Characters

    Select this check box to allow numeric characters in the password.

    Allow First Character Numeric

    Select this check box to allow the first character of the password to be numeric. This setting is applicable when only numeric characters are allowed in the password.

    Allow Last Character Numeric

    Select this check box to allow the last character of the password to be numeric. This setting is applicable only when numeric characters are allowed in the password.

    Maximum Numeric

    Specify the maximum number of numeric characters you want to allow in the password. This setting is applicable when you allow numeric characters in the password. Specify zero to disable this feature.

    Minimum Numeric

    Specify the minimum number of numeric characters you want to allow in the password. This setting is applicable when you allow numeric character in the password. Specify zero to disable this feature.

    Allow Special Characters

    Select this check box to allow non-alphanumeric characters in the password.

    Allow First Character Special

    Select this check box to allow the non-alphanumeric character to be the first character of the password. This setting is applicable when you allow the special characters in the password.

    Allow Last Character Special

    Select this check box to allow the non-alphanumeric character to be the last character of the password. This setting is applicable when you allow the special characters in the password.

    Maximum Special

    Specify the maximum number of special characters allowed in the password. This setting is applicable when you allow the special characters in the password. Specify zero to disable this feature.

    Minimum Special

    Specify the minimum number of special characters required in the password. This setting is applicable when you allow the special characters in the password. Specify zero to disable this feature.

    Maximum Alphabetic

    Specify the maximum number of alphabetic characters allowed in the password. Specify zero to disable this feature.

    Minimum Alphabetic

    Specify the minimum number of alphabetic characters required in the password. Specify zero to disable this feature.

    Maximum Non-Alphabetic

    Specify the maximum number of non-alphabetic characters allowed in the password. Specify zero to disable this feature.

    Minimum Non-Alphabetic

    Specify the minimum number of non-alphabetic characters required in the password. Specify zero to disable this feature.

    Maximum Uppercase

    Specify the maximum number of uppercase characters allowed in the password. Specify zero to disable this feature.

    Minimum Uppercase

    Specify the minimum number of uppercase characters required in the password. Specify zero to disable this feature.

    Maximum Lowercase

    Specify the maximum number of lowercase characters allowed in the password. Specify zero to disable this feature.

    Minimum Lowercase

    Specify the minimum number of lowercase characters required in the password. Specify zero to disable this feature.

    Minimum Unique Characters

    Specify the minimum number of unique characters required in the password. Specify zero to disable this feature.

    Maximum Characters from Previous Password

    Specify the maximum number characters that a user can reuse from the previous password in the new password. Specify zero to disable this feature.

    Enable Wordlist

    Select this check box to enable users to check the password against the configured Wordlist.

    Active Directory Password Complexity

    Select the Microsoft Active Directory style password complexity rules from the drop down list:

    AD 2003 Level Complexity: Select this setting to use the following password complexity rule:

    • Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters

    • Contain at least six characters in length

    • Contain characters from three of the following four categories:

      • English uppercase characters (A through Z)

      • English lowercase characters (a through z)

      • Base 10 digits (0 through 9)

      • Non-alphabetic characters (for example, !, $, #, %)

        NOTE:This option is allowed on Windows server 2008 R2 SP1 or later.

    AD 2008 Level Complexity: Select this setting to use the following password complexity rule:

    • Can not contain the user's account name or parts of the user's full name that exceed two consecutive characters

    • Minimum 6 characters

    • Maximum 512 characters

    • Must contain following category of characters. The exact number of categories is specified by the setting Policies > Password Policies > [profile] > Active Directory 2008 Password Complexity Maximum Violations.

      • European language uppercase alphabetic characters

      • European language lowercase alphabetic characterso Base 10 digits (0 through 9)

      • Non-alphabetic characters (for example, !, $, #, %)

      • Other alphabetic characters not included in the other categories

    None: Select this setting if you do not require any of the Active directory password complexity rule.

    NOTE:SSPR considers the password policy that is a combination of SSPR and Active Directory complexity. Hence, the change password page displays the policies that are a combination of SSPR and Active Directory complexity.

    If you require the exact policy of Active Directory complexity, then ensure to make changes to minimum and maximum character specifications in SSPR policy settings as specified in the Active Directory complexity.

    Active Directory 2008 Password Complexity Maximum Violations

    Specify the maximum number of Active Directory 2008 Level Complexity category violations that is allowed for users.

    This setting is applicable if the Active Directory Password Complexity setting is set to AD 2008 Level Complexity.

    Disallowed Values

    Specify the list of case insensitive values that you do not want to allow in the password. For example, password, username, and name of the organization.

    Minimum Password Strength

    Specify the minimum password strength level required.

    45 to 69 are good and above 69 are strong. A value of zero disables this check.

    Password Change Message

    Specify the message to be displayed to the user during password changes. You can include HTML tags in messages.

    NOTE:A change password message read as part of an LDAP password policy may overwrite this setting.

    Required Regular Expression Matches (Advanced)

    Specify a regular expression pattern that a valid password must match. You can list multiple patterns. Patterns must follow the rules listed for the pattern. A pattern must match the entire password to be applied. A partial match is not accepted.

    Disallowed Regular Expression Matches (Advanced)

    Specify a regular expression pattern that a password must not match to be allowed. You can list multiple patterns. A partial match is ignored.

    Disallowed Attributes (Advanced)

    Specify the list of case-insensitive attributes that you do not want to allow in the password. For example, cn and sn.

    Password Rule Text

    Specify the password rules that you want to display to users. If you do not specify the full path, SSPR uses the WEB-INF directory by default.

    By default, this field is blank and an appropriate rule text is automatically generated. When you configure this setting, the text in this setting replaces the automatically generated rule text. You can use HTML tags.

    Disallow Current Password (Advanced)

    Select this check box if you want to prevent users from repeating the current password as new password. You can deselect this setting if the login method permits the user's password to be known.