Label
Mandatory
Description
Key
Available options are:
User attribute
Only authenticate user ID associated with user account
Allow user not listed in any User Storage
Digital Access account required prior authentication
Save credentials for SSO domain
Warning before password expires
Locale
ActiveSync DeviceID Locking
Force create user
Create user on failed logon
Value
(Yes)
User attribute
Specify the directory service attribute name for user ID.
When specified, only users associated with the specified user ID attribute are allowed for authentication.
Applicable when the authentication method uses a different attribute name than the default attribute name for authentication.
Example: mail
(As opposed to default attribute names cn or samAccountName.)
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
User name may not change during session
This extended property is added to the authentication method by default.
Select true or false.
When set to true, only the user ID associated with a user account is allowed for authentication.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a Digital Access account (or a Digital Access account can be created), and the user ID exactly matches the Digital Access account the user is allowed for authentication.
If the user ID cannot be found, or if the user ID used for authentication does not match the Digital Access account, the user is not allowed for authentication.
Applicable when you want to restrict the use of different user IDs, to eliminate the possibility for several different users to authenticate during one session.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Set to true by default.
Allow user not listed in any User Storage
Select true or false.
When set to true, users can be authenticated without a Digital Access user account. All access rules of the type user group membership are ignored.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. Regardless of whether the user ID is found in the directory service, the user is allowed for authentication.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Set to false by default.
Digital Access account required prior authentication
Select true or false.
When set to true, only user IDs associated with a user account are allowed for authentication.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a Digital Access account (or a Digital Access account can be created), the user is allowed for authentication.
If the user ID cannot be found in the directory service, the user is not allowed for authentication.
It is not recommended to add this extended property to authentication methods where user ID only is used initially for authentication. This can be considered a security threat, since it will entail a possibility to identify which user IDs are known versus unknown.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Set to true by default.
Save credentials for SSO Domain
Specify SSO domain names in a comma-separated list (no spaces!).
When specified, the Policy Service performs an SSO credential update after successful authentication using the credentials provided by the user.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Warning before password expires
This extended property is added to the authentication method by default.
Specify number of days in advance users are notified of password expiration.
Set to 7 by default.
Locale
This extended property is added to the authentication method by default.
Specify language code for the preferred language.
Set to US (American English) by default.
Mandatory when Key is selected.
ActiveSync DeviceID Locking
Enabled this extended property when using ActiveSync. When enabled, the system will lock the device ID to the user. The device ID is registered automatically when performing the first synch. To register a new phone or PDA, simply remove the user's custom defined attribute "DeviceID" and re-synch.
Set to false by default.
Force create user
If this extended property is enabled then the Digital Access account will be created on successful login. When disabled, the Digital Access account is only created and linked if the user is found in any User Storage(s).
Set to false by default.
Create user on failed logon
If this extended property is enabled then the Digital Access account will be created on failed login. It is recommended to enable this when the backend authentication service is unable to lock user after a number of invalid authentication attempts.
Set to false by default.