XYGATE User Authentication Reference Manual

XYGATE

User Authentication

™

Reference Manual

Introduction

XYPRO Technology Corporation xxiii Proprietary and Confidential

the correct remote node (if EXPLICIT_NODES=ON); otherwise, the node will be

\UNKNOWN.

PASSWORD-MAY-CHANGE setting in Safeguard

If the PASSWORD-MAY-CHANGE feature is utilized in Safeguard and XUA SEEP is

enabled, changing the expired password within grace during logon, results in an

unexpected “password change too soon” message from Safeguard.

The anomaly has been attributed to the logic flaw in communication between

Safeguard and its Authentication SEEP. The PASSWORD-MAY-CHANGE setting in

Safeguard should not be implemented if XUA is used on the system until the logic is

corrected in Safeguard.

XYGATE Password Quality (XPQ) module version 3.10 or higher may be used with

PASSWORD_MAY_CHANGE settings, if available.

Passwords with spaces during password change

If a password change is attempted at logon time and the new password contains

spaces, the password change will not happen and the logon will be rejected. This is

due to a problem with the Safeguard Authentication SEEP interface.

PASSWORD-EXPIRES setting for LDAP, RSA Logon and RADIUS

When the user goes through LDAP, RSA SecurID or RADIUS authentication and the

password is verified successfully but the password of the user is expired and outside

of grace in Safeguard, then Safeguard will deny the logon access even though the

Authentication SEEP gives access to logon. To work around this anomaly of logon

denial for LDAP, RSA SecurID or RADIUS users, XUA has been modified to reset the

PASSWORD-EXPIRES field in Safeguard for the user when the user goes through

LDAP, RSA SecurID or RADIUS authentication.

RSA Authentication - Response not echoed in PIN changes

When a user goes through a PIN-code change mode during RSA authentication, the

user’s input of Y or N to the prompt “Are you ready to enter a new PIN? (y/n) [n]” is not

echoed to the user.