Allowing or Forcing Password Reset
Occasionally, EFT users may want to change their passwords. You may also want them to change their password the first time they log in with the temporary password that you've assigned them. The account management page is provided (via HTTPS) for users to change their passwords without intervention from the system administrator. (You can enable the password reset page while disallowing general access to HTTP or HTTPS, but you still must provide an SSL certificate.)
If Force users to change their first-time password immediately upon first use check box is selected, users are forced to change their passwords the first time that they log in to the server. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the Change Password page (e.g., https://localhost:4439/EFTClient/Account/ChangePassword.htm). After the user creates a new password, they are returned to the home page.
-
On AD/LDAP Sites, if you have enabled theUser must change password at next logonfeature in AD, you must enable (set to "on") the registry setting described in KB article 10516.
-
If you have enabled theUser cannot change passwordfeature in AD, users will not be able to change their passwords.
-
On LDAP Sites, if you have enabled DMZ Gateway, you can also enable theSuppress "Forgot Password" optionforAll Domains,Internal Domain, orExternal Domain.
When a user logs in to the HTTPS index page for the first time, the user is automatically redirected to the change password page if:
-
The Enable account management page over HTTPS check box is selected and the user logs in with a temporary password.
-
The Enable account management page over HTTPS and the Redirect all plaintext HTTP traffic to HTTPS check box are selected, and the user logs in with a temporary password.
-
The user logs in with a temporary password to the FTP port or SFTP engine. (No commands are allowed other than exiting or changing the password until the password has been changed; the user is prompted to change the password.)
-
If an administrator logs in using a temporary password, a warning appears to prompt the administrator to supply a new password.
There is no way to ask FTP users to change their password prior to logging in. We must allow them to actually login (authenticate) but then prevent any further interaction with their session until they change their password.
You can configure password reset on the Site, Settings Template, and for each user. (The Site setting Force users to change their first-time password immediately upon first use is inherited by the Settings Templates; the Settings Template setting is inherited by the users in that Settings Template.)
To configure the Site, Settings Template, or user account to allow or force password reset
-
In the administration interface, connect to EFT and click the Server tab.
-
On the Server tab, click the Site, Settings Template, or user account that you want to configure.
-
In the right pane, click the Security tab.
Site > Security tab:
-
Select the Allow users to reset their passwords check box.
-
If you want users to reset their password the first time they log in to the server, select the Force users to change their first-time password immediately upon first use check box.
-
If you want a user to reset the password the next time they log in to the server (whether they were newly created or of the administrator rest the password), select the Force user to change their password immediately upon next use check box.
-
If you want to configure password expiration options, click Configure.
-
-
On an LDAP Site, if you want to hide the Forgot Password option in the Web Transfer Client, select the Suppress "Forgot Password" option check box, then specify whether you want it hidden for All Domains, the Internal Domain, or the External Domain. (Not available on non-LDAP Sites.)
-
Click Apply to save the changes on EFT. Users will be prompted to change their password when they log in to the Site.
When a password is reset, EFT verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:
-
In HTTPS and SFTP, the authentication request will be denied.
-
In FTP, no further FTP commands will be accepted until the new password is provided and meets complexity and password history requirements, if those features are enabled.