Application authentication

This topic describes how to set the password policy when using LoadRunner Enterprise's built-in user management authentication.

Note: We recommend using SSO or LDAP because they are a more secure type of authentication. For details, see LDAP authentication and SSO authentication.

Overview

When using internal application authentication, the LoadRunner Enterprise administrator can use the default password policy, or can set the password policy according to the needs of their organization.

The LoadRunner Enterprise administrator and the tenant user can change passwords for users that are set to log in to LoadRunner Enterprise using their LoadRunner Enterprise passwords. For details, see Change a user's password.

Back to top

Set the password policy

This task describes how to set the password policy.

  1. In LoadRunner Enterprise Administration, select Configuration > Site Configuration, and click the Authentication Type tab.

  2. Click the Application dropdown to display the password policy settings. You can use the default settings, or make changes as required.

    Note: The default values are our recommended minimum requirements for secure password policies.

    Password must contain at least
    • X alphabetical characters

    • X numeric characters

    • X lowercase characters

    • X uppercase characters

    • X special characters

    Default: All are selected with a value of 1

    Password must
    • be between X and Y characters in length (this is the default setting, and it has values of 8 and 20)

    • start with X alphanumeric characters (when selected, the default value is 1)

    Password cannot include
    • user's login name

    • user's full name

    • user's email

    Default: All settings are cleared

    Lock the user

    for X minutes after Y consecutive failed login attempts, when the time between attempts is less than Z minutes.

    Default: Selected with values of 30, 5, and 5

    Note: If an account is locked, a user can request a password reset. For details, see Unlock a user account.

  3. Click Save to save the password policy settings.

    To restore your previous password policy settings, click the Restore button .

  4. Click Select this authentication type to set Application as the authentication type for all users.

Back to top

Unlock a user account

If a user is locked out of LoadRunner Enterprise or LoadRunner Enterprise Administration as a result of too many unsuccessful login attempts, they can do the following:

  • Click Forgot or want to change password in the LoadRunner Enterprise or LoadRunner Enterprise Administration Login window, and request a password reset.

  • Ask the site administrator to change the user's password.

  • Wait the configured amount of time for the account to be released, and then try to log in again.

Back to top

Rate limit authentication requests

You can enable rate limiting to protect LoadRunner Enterprise applications from brute‑force attacks. Rate limiting provides additional security by enabling you to set the maximum number of user authentication requests that the application can receive within a specific time period.

Application Description
LoadRunner Enterprise

To rate limit authentication requests for LoadRunner Enterprise:

  1. Open the <LRE_server_installdir>\PCWEB\Web.config file in a text editor, and set the EnabledRateLimitingAuthentication parameter to true. The default value is false.

  2. You can use the default authentication rate limit of 1,500 password attempts in 5 minutes, or change the rate as required.

LoadRunner Enterprise Administration

To rate limit authentication requests for LoadRunner Enterprise Administration:

  1. Go to <LRE_server_installdir>\LRE_ADMIN\binary and open the appsettings.defaults.json file.

  2. In the RouteLimiter section, add "/rest/authentication-point/authenticate" to the path. By default, the path is empty.

  3. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.

Site Management

To rate limit authentication requests for Site Management:

  1. Go to <LRE_server_installdir>\LRE_SITE\binary and open the appsettings.defaults.json file.

  2. In the RouteLimiter section, add "/rest/authenticate" to the path. By default, the path is empty.

  3. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.

Back to top

See also: