Allowing or Forcing Password Reset
Occasionally, EFT users may want to change their passwords. You may also want them to change their password the first time they log in with the temporary password that you've assigned them. The account management page is provided (via HTTPS) for users to change their passwords without intervention from the system administrator. (You can enable the password reset page while disallowing general access to HTTP or HTTPS, but you still must provide an SSL certificate.)
If Force users to change their first-time password immediately upon first use check box is selected, users are forced to change their passwords the first time that they log in to the server. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the Change Password page. After the user creates a new password, they are returned to the home page.
Change password page URL: https://<EFT Site>/Web/Account/ChangePassword.htm
-
On AD/LDAP Sites, if you have enabled the User must change password at next logon feature in AD, you must enable (set to "on") the registry setting described in KB article 10516.
-
If you have enabled the User cannot change password feature in AD, users will not be able to change their passwords.
-
On LDAP Sites, if you have Allowing or Forcing Password Reset, you can also enable the Suppress "Forgot Password" option for All Domains, Internal Domain, or External Domain.
-
See also the "PasswordResetLinkExpirationPeriodMinutes" advanced property.
When a user logs in to the HTTPS index page for the first time, the user is automatically redirected to the change password page if:
-
The Enable account management page over HTTPS check box is selected and the user logs in with a temporary password.
-
The Enable account management page over HTTPS and the Redirecting HTTP to HTTPS check box are selected, and the user logs in with a temporary password.
-
The user logs in with a temporary password to the FTP port or SFTP engine. (No commands are allowed other than exiting or changing the password until the password has been changed; the user is prompted to change the password.)
-
If an administrator logs in using a temporary password, a warning appears to prompt the administrator to supply a new password. ("Temporary password" means the administrator created a password for them and selected the check box requiring them to change the password when they log in for the first time with that password.)
There is no way to ask FTP users to change their password prior to logging in. We must allow them to actually login (authenticate) but then prevent any further interaction with their session until they change their password.
You can configure password reset on the Site, Settings Template, and for each user. (The Site setting Force new users to change their first-time password immediately upon first use is inherited by the Settings Templates.)
To configure the Site, Settings Template, or user account to allow or force password reset
-
In the administration interface, click the Server tab.
-
On the Server tab, click the Site, Settings Template, or User, then click the Security tab.
-
Select the Allow users to reset their passwords check box.
-
On the Site or Settings Template Security tab, to reset their password the first time the user logs in to the server, select the Force new users to change their first-time password immediately upon first use check box.
-
On the User's Security tab, to reset the password the next time the user logs in to the server (whether they were newly created or of the administrator rest the password), select the Force user to change their password immediately upon next use check box.
-
To configure password expiration options, click Configure.
-
On an LDAP Site, to hide the Forgot Password option in the Web Transfer Client, select the Suppress "Forgot Password" option check box, then specify whether you want it hidden for All Domains, the Internal Domain, or the External Domain. (Not available on non-LDAP Sites.)
-
Click Apply to save the changes on EFT. Users will be prompted to change their password when they log in to the Site.
When a password is reset, EFT verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:
-
In HTTPS and SFTP, the authentication request will be denied.
-
In FTP, no further FTP commands will be accepted until the new password is provided and meets complexity and password history requirements, if those features are enabled.