Secure Password Administrator does not allow for web-based password history or password aging (NETIQKB44178)

  • 7744178
  • 02-Feb-2007
  • 06-Oct-2011

Environment

Secure Password Administrator 1.0

Situation

Secure Password Administrator does not allow for web-based password history or password aging.

There is no way to enforce a password to be reset at next logon.

Secure Password Administrator does not notify Administrators by email when a SPA profile account is created or when an account is added to or removed from a profile.

Resolution

Hotfix NETIQKB44178 allows you to enforce password policy, such as password history, and receive notifications when users or administrators modify the Secure Password Administrator (SPA) profiles. Password policy is disabled by default.


SETTING PASSWORD HISTORY AND AGING THRESHOLDS

You can set how Secure Password Administrator enforces password history and password aging.

Use password history to track account passwords specified through the Secure Password Administrator Self-Service site. Because Secure Password Administrator applies password history against the SPA profile, you can ensure users do not recycle recently-used passwords across their accounts. This setting requires users to specify a different password each time they reset account passwords using Secure Password Administrator.

Use password aging to control how many days a user must wait between password resets using Secure Password Administrator. Secure Password Administrator enforces this setting along side your native Windows password aging policy.

By default, password history and password aging are disabled.

To set password history and aging thresholds:

  1. Start Internet Explorer and navigate to the Secure Password Administrator Admin site.
  2. Specify the credentials of a member of the DRA Admins AA group, and then click Log on.
  3. Click Configure SPA Profile Settings.
  4. On the SPA Profile Settings window, specify values for the following options:
     * Number of passwords to remember for each SPA profile.
     * Number of days user must wait to reset password again.
  5. Click Save Changes.


ENFORCING PASSWORD RESETS AT NEXT LOGON

You can configure Secure Password Administrator to set the native User must change password at next logon flag when resetting account passwords. By default, this setting is disabled.

To enforce password resets at next logon:

  1. Start Internet Explorer and navigate to the Secure Password Administrator Admin site.
  2. Specify the credentials of a member of the DRA Admins AA group, and then click Log on.
  3. Click Configure SPA Profile Settings.
  4. On the SPA Profile Settings window, select User must reset password at next Windows logon.
  5. Click Save Changes.


CONFIGURING SPA PROFILE EMAIL NOTIFICATIONS

You can configure Secure Password Administrator to notify the DRA Admin and the SPA profile owner when the following events occur:

  • A user creates a new SPA profile
  • A user adds an account to a SPA profile
  • An administrator adds or removes an account from a SPA profile using the Search for SPA Profiles window

By default, Secure Password Administrator sends email notifications to the SPA profile owner only. Secure Password Administrator does not send email notifications to reflect changes that result from importing a SPA Profile Management file.

For each email notification type, you can modify any of the following settings:

  • Additional email recipients
  • Whether Secure Password Administrator notifies the SPA profile owner
  • Email subject and body text

To configure SPA profile email notifications:

  1. Start Internet Explorer and navigate to the Secure Password Administrator Admin site
  2. Specify the credentials of a member of the DRA Admins AA group, and then click Log on
  3. Click Configure Email Notificati.
    ons
  4. On the Configure Email Notifications window, navigate to the email notification you want to configure. For example, to modify the email notification that Secure Password Administrator sends when a user adds an account to a SPA profile, navigate to the Account Added to SPA Profile Email
  5. Modify the appropriate values, and then click Save Changes

 

INSTALLING THE HOTFIX


To install this hotfix, run the SPA10000_Hotfix44178.exe file on your Secure Password Administrator Web server computer.

This hotfix modifies the following files on the Secure Password Administrator Web server computer:

  • bin\SpaCommon.dll
  • bin\SpaMsg.dll
  • bin\SpaJniWebService.dll
  • config\ApplicationResources.properties
  • config\ApplicationResources_en.properties
  • config\ApplicationResources_en_NETIQKB44178.properties
  • database\SPA_DB_NETIQKB44178.sql
  • database\SPA_Properties_NETIQKB44178.sql
  • lib\spa.jar

By default, these files are located in the Program Files\NetIQ\SPA folder.

Additional Information

Formerly known as NETIQKB44178