Application authentication

This topic describes how to set the password policy when using LoadRunner Enterprise's built-in user management authentication.

Note: We recommend using SSO or LDAP because they are a more secure type of authentication. For details, see LDAP authentication and SSO authentication.

Overview

When using internal application authentication, the LoadRunner Enterprise administrator can use the default password policy, or can set the password policy according to the needs of their organization.

The LoadRunner Enterprise administrator and the tenant user can change passwords for users that are set to log in to LoadRunner Enterprise using their LoadRunner Enterprise passwords. For details, see Change a user's password.

Set the password policy

This task describes how to set the password policy.

In LoadRunner Enterprise Administration, select Configuration > Site Configuration, and click the Authentication Type tab.

Click the Application dropdown to display the password policy settings. You can use the default settings, or make changes as required.

Note: The default values are our recommended minimum requirements for secure password policies.

Password must contain at least	`X` alphabetical characters `X` numeric characters `X` lowercase characters `X` uppercase characters `X` special characters Default: All are selected with a value of 1
Password must	be between `X` and `Y` characters in length (this is the default setting, and it has values of 8 and 20) start with `X` alphanumeric characters (when selected, the default value is 1)
Password cannot include	user's login name user's full name user's email Default: All settings are cleared
Lock the user	for `X` minutes after `Y` consecutive failed login attempts, when the time between attempts is less than `Z` minutes. Default: Selected with values of 30, 5, and 5 Note: If an account is locked, a user can request a password reset. For details, see Unlock a user account.

Click Save to save the password policy settings.

To restore your previous password policy settings, click the Restore button .
Click Select this authentication type to set Application as the authentication type for all users.

Unlock a user account

If a user is locked out of LoadRunner Enterprise or LoadRunner Enterprise Administration as a result of too many unsuccessful login attempts, they can do the following:

Click Forgot or want to change password in the LoadRunner Enterprise or LoadRunner Enterprise Administration Login window, and request a password reset.
Ask the site administrator to change the user's password.
- For details on changing a LoadRunner Enterprise user password, see Change a user's password.
- For details on changing a Site Management user password, see Create and manage Site Management users.
Wait the configured amount of time for the account to be released, and then try to log in again.

Rate limit authentication requests

You can enable rate limiting to protect LoadRunner Enterprise applications from brute‑force attacks. Rate limiting provides additional security by enabling you to set the maximum number of user authentication requests that the application can receive within a specific time period.

Application Description

Application	Description
LoadRunner Enterprise	To rate limit authentication requests for LoadRunner Enterprise: Open the <LRE_server_installdir>\PCWEB\Web.config file in a text editor, and set the EnabledRateLimitingAuthentication parameter to `true`. The default value is `false`. You can use the default authentication rate limit of 1,500 password attempts in 5 minutes, or change the rate as required. Example:
LoadRunner Enterprise Administration	To rate limit authentication requests for LoadRunner Enterprise Administration: Go to <LRE_server_installdir>\LRE_ADMIN\binary and open the appsettings.defaults.json file. In the RouteLimiter section, add `"/rest/authentication-point/authenticate"` to the path. By default, the path is empty. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required. Example:
Site Management	To rate limit authentication requests for Site Management: Go to <LRE_server_installdir>\LRE_SITE\binary and open the appsettings.defaults.json file. In the RouteLimiter section, add `"/rest/authenticate"` to the path. By default, the path is empty. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required. Example:

LoadRunner Enterprise

To rate limit authentication requests for LoadRunner Enterprise:

Open the <LRE_server_installdir>\PCWEB\Web.config file in a text editor, and set the EnabledRateLimitingAuthentication parameter to true. The default value is false.
You can use the default authentication rate limit of 1,500 password attempts in 5 minutes, or change the rate as required.

LoadRunner Enterprise Administration

To rate limit authentication requests for LoadRunner Enterprise Administration:

Go to <LRE_server_installdir>\LRE_ADMIN\binary and open the appsettings.defaults.json file.
In the RouteLimiter section, add "/rest/authentication-point/authenticate" to the path. By default, the path is empty.
You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.

Site Management

To rate limit authentication requests for Site Management:

Go to <LRE_server_installdir>\LRE_SITE\binary and open the appsettings.defaults.json file.
In the RouteLimiter section, add "/rest/authenticate" to the path. By default, the path is empty.
You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.

Application authentication

Overview

Set the password policy

Unlock a user account

Rate limit authentication requests

Send Help Center Feedback