The password management feature allows Windchill users to change their passwords using the Windchill interface.

The Windchill password change interface is not enabled by default. Since the password change is effected in the LDAP directory server accessed by Windchill, it should be configured as writable.

Using the xconfmanager utility, you can enable password change by setting the wt.org.services.userPasswordChangeEnabled property value to TRUE.

Following is an example of how the wt.org.services.userPasswordChangeEnabled property is enabled. Enter the xconfmanager command on one line:

where <Windchill> is the location where Windchill is installed.

If you have set the wt.org.services.userPasswordChangeEnabled property to true, users can change their password by selecting Quick Links > My Settings > Profile. From the user information page that displays, select Edit Password from the Actions menu to open the Edit Password window.

Your site password policy is defined in your LDAP directory server and enforced by that server. In Windchill your password cannot begin or end with a blank space.

For information on setting up a password policy in an enterprise directory, see the documentation provided with the directory.

Your site user lockout policy determines how many login attempts can be made before a user is locked out of Windchill and how long the user is locked out. Windchill does not manage user login actions. This policy is defined in your LDAP directory server and enforced by that directory server. For example, if you configure single sign-on (SSO) for Windchill and redirect user authentication to an identity provider in your SSO federation, you will need to set the user lockout policy in the federated identity provider.

In a directory server that defines lockout failure count to 5 unsuccessful attempts and lockout duration to 15 minutes, end user can see following behaviour:

If your site is using the HTTP Server web server, users can experience a slightly different lockout scenario. This is because HTTP Server caches successful login credentials for a predetermined length of time. This login cache comes into play in the following scenario:

The user’s login is successful on the sixth try because the user credentials entered matched the credentials that are cached. This scenario only works because the correct credentials were entered while the successful login credentials were cached. If the user had reopened the browser after the HTTP Server cache was cleared, then the user account would have been locked after the fifth unsuccessful login attempt.

You must manage the user notification of password expirations through your site policies outside of Windchill. However, Windchill provides the following Apache error pages that can be customized with site specific information:

PTC supplies English and Japanese versions of these files.

You can customize the content of the Apache login help topics to ensure that users have access to your site information. The help for the Apache 500 and 401 errors is located in the <Windchill>/codebase/webserver/apache/error directory, where <Windchill> is the location where Windchill is installed.

There are only two files in this directory that are accessed by HTTP Server and follow the Apache conventions for online help. These files end in an extension that indicates the content language of the file. PTC supplies only English and Japanese versions of the files. The .en extension is for English and .ja is for Japanese.

The following lists the English files:

You can modify the content of these files using a standard HTML or text editor.