Application authentication

This topic describes how to set the password policy when using the built-in user management authentication.

Note: We recommend using SSO or LDAP because they are a more secure type of authentication. For details, see LDAP authentication and SSO authentication.

Overview

When using internal application authentication, you can use the default password policy, or set the password policy according to the needs of your organization.

The OpenText Enterprise Performance Engineering administrator and the tenant user can change passwords for users that are set to sign in using their OpenText Enterprise Performance Engineering passwords. For details, see Change a user's password.

Set the password policy

This task describes how to set the password policy.

In Administration, select Configuration > Site Configuration, and click the Authentication Type tab.

Click the Application dropdown to display the password policy settings. You can use the default settings, or make changes as required.

Note: The default values are our recommended minimum requirements for secure password policies.

Password must contain at least	`X` alphabetical characters `X` numeric characters `X` lowercase characters `X` uppercase characters `X` special characters Default: All are selected with a value of 1
Password must	be between `X` and `Y` characters in length (this is the default setting, and it has values of 8 and 20) start with `X` alphanumeric characters (when selected, the default value is 1)
Password cannot include	user's login name user's full name user's email Default: All settings are cleared
Lock the user	for `X` minutes after `Y` consecutive failed login attempts, when the time between attempts is less than `Z` minutes. Default: Selected with values of 30, 5, and 5 Note: If an account is locked, a user can request a password reset. For details, see Unlock a user account.

Click Save to save the password policy settings.

To restore your previous password policy settings, click the Restore button .
Click Select this authentication type to set Application as the authentication type for all users.

Unlock a user account

If a user is locked out of the Performance testing application or Administration as a result of too many unsuccessful login attempts, they can do the following:

Click Forgot or want to change password in the Login window, and request a password reset.
Ask the site administrator to change the user's password.
- For details on changing a user password in the Performance testing application or Administration, see Change a user's password.
- For details on changing a Site Management user password, see Create and manage Site Management users.
Wait the configured amount of time for the account to be released, and then try to sign in again.

Rate limit authentication requests

You can enable rate limiting to protect applications from brute‑force attacks. Rate limiting provides additional security by enabling you to set the maximum number of user authentication requests that the application can receive within a specific time period.

Application Description

Application	Description
Performance testing application	To rate limit authentication requests: Open the <Server_installdir>\PCWEB\Web.config file in a text editor, and set the EnabledRateLimitingAuthentication parameter to `true`. The default value is `false`. You can use the default authentication rate limit of 1,500 password attempts in 5 minutes, or change the rate as required. Example:
Administration	To rate limit authentication requests for Administration: Go to <Server_installdir>\LRE_ADMIN\binary and open the appsettings.defaults.json file. In the RouteLimiter section, add `"/rest/authentication-point/authenticate"` to the path. By default, the path is empty. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required. Example:
Site Management	To rate limit authentication requests for Site Management: Go to <Server_installdir>\LRE_SITE\binary and open the appsettings.defaults.json file. In the RouteLimiter section, add `"/rest/authenticate"` to the path. By default, the path is empty. You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required. Example:

Performance testing application

To rate limit authentication requests:

Open the <Server_installdir>\PCWEB\Web.config file in a text editor, and set the EnabledRateLimitingAuthentication parameter to true. The default value is false.
You can use the default authentication rate limit of 1,500 password attempts in 5 minutes, or change the rate as required.

Administration

To rate limit authentication requests for Administration:

Go to <Server_installdir>\LRE_ADMIN\binary and open the appsettings.defaults.json file.
In the RouteLimiter section, add "/rest/authentication-point/authenticate" to the path. By default, the path is empty.
You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.

Site Management

To rate limit authentication requests for Site Management:

Go to <Server_installdir>\LRE_SITE\binary and open the appsettings.defaults.json file.
In the RouteLimiter section, add "/rest/authenticate" to the path. By default, the path is empty.
You can use the default authentication rate limit of 1,500 password attempts in 300 seconds (5 minutes), or change the rate policy as required.