User Password Management Options
The password management feature allows Windchill users to change their passwords using the Windchill interface.
To be able to change their passwords, Windchill users must be able to write to the directory server where the user information is stored.
Enabling the Password Change User Interface
The Windchill password change interface is not enabled by default. Since the password change is effected in the LDAP directory server accessed by Windchill, it should be configured as writable.
Using the xconfmanager utility, you can enable password change by setting the property value to TRUE.
Following is an example of how the property is enabled. Enter the xconfmanager command on one line:
xconfmanager -s ""
-t "<Windchill>/codebase/" -p
where <Windchill> is the location where Windchill is installed.
After changing the value of the property, restart the method server to ensure the change becomes effective.
If you have set the property to true, users can change their password by selecting Quick Links > My Settings > Profile. From the user information page that displays, select Edit Password from the Actions menu to open the Edit Password window.
The user information page is also accessible from the Team page. Display users on the Members table and click the information icon for a user to display the user information page.
Users can click the help icon on the Edit Password window to access information on how to change the password from the Edit Password window. This help can also contain site information about the password requirements you have established.
Setting Up a Password Policy
Your site password policy is defined in your LDAP directory server and enforced by that server. In Windchill your password cannot begin or end with a blank space.
For information on setting up a password policy in an enterprise directory, see the documentation provided with the directory.
Deciding on a User Lockout Policy
Your site user lockout policy determines how many login attempts can be made before a user is locked out of Windchill and how long the user is locked out. Windchill does not manage user login actions. This policy is defined in your LDAP directory server and enforced by that directory server. For example, if you configure single sign-on (SSO) for Windchill and redirect user authentication to an identity provider in your SSO federation, you will need to set the user lockout policy in the federated identity provider.
In a directory server that defines lockout failure count to 5 unsuccessful attempts and lockout duration to 15 minutes, end user can see following behaviour:
If a user makes five contiguous unsuccessful attempts to log in, the account associated with theusername that was used is locked.
If an account is locked, the lock remains in effect for 15 minutes. After 15 minutes, the account is automatically unlocked; no administrative action is required.
If your site is using the HTTP Server web server, users can experience a slightly different lockout scenario. This is because HTTP Server caches successful login credentials for a predetermined length of time. This login cache comes into play in the following scenario:
1. Assume a user has logged in successfully and then closes the browser.
2. Within the time in which the successful login is cached, the user reopens the browser and attempts to login but is unsuccessful five consecutive times.
3. On the sixth login try, the user enters the correct credentials to log in and the login is successful even though the number of attempts was greater than five.
The user’s login is successful on the sixth try because the user credentials entered matched the credentials that are cached. This scenario only works because the correct credentials were entered while the successful login credentials were cached. If the user had reopened the browser after the HTTP Server cache was cleared, then the user account would have been locked after the fifth unsuccessful login attempt.
Deciding on a Password Expiration Notification Process
Windchill does not send users any notification that their password is about to expire.
You must manage the user notification of password expirations through your site policies outside of Windchill. However, Windchill provides the following Apache error pages that can be customized with site specific information:
When HTTP Server returns a 500 error (indicating that an internal server error has occurred), the apachelogin/apacheerror.html displays. HTTP Server returns this error page when a user is locked out of the Directory Server. This page is returned whenever an unexpected condition prevents HTTP Server from completing an HTTP request. Therefore, you should keep the text on the page very general.
When HTTP Server returns a 401 error (indicating that the login authorization has failed), the apachelogin/apachelogin.html displays.
PTC supplies English and Japanese versions of these files.
Customizing Apache Login Help Topics
You can customize the content of the Apache login help topics to ensure that users have access to your site information. The help for the Apache 500 and 401 errors is located in the <Windchill>/codebase/webserver/apache/error directory, where <Windchill> is the location where Windchill is installed.
There are only two files in this directory that are accessed by HTTP Server and follow the Apache conventions for online help. These files end in an extension that indicates the content language of the file. PTC supplies only English and Japanese versions of the files. The .en extension is for English and .ja is for Japanese.
The following lists the English files:
apacheerror.html.en -- internal server error information to display when the Apache error number is 500.
apachelogin.html.en -- login authorization information to display when the Apache error number is 401.
You can modify the content of these files using a standard HTML or text editor.
Was this helpful?