1.877.833.1202

Logon and Password Security and Time Out

The logon settings allow the System Administrator to manage the number of logon attempts allowed and the time-out settings for user sessions. If users exceed the number of login attempts, the user account is disabled and an email alert is sent to all system administrators. The system administrator will need to enable the account in the Users area and if the user is a local user, reset their password.

The password settings only apply to locally managed users and not domain users synchronized with Active Directory. Domain user policies are defined by the Active Directory security policy defined by your organizations IT group.

If local users (not domain users) forget their username or password, you can configure the Web Client login page or FDA login window to include links to recover their user ID and/or reset their passwords.If a user has forgotten their user ID, they are asked to enter their email address. An email containing their user ID is emailed to them. If a user has forgotten their password and wants to reset it, then the user is prompted to enter their email address and is sent a time-sensitive link in which they will need to use in order to reset their password. Once the link is clicked, the user is prompted to reset their password in the web client. If the time limit on the email expires, then the user will need to resend the reset password request from the login page.

An additional security measure can be put into place using a two-step verification process via a mobile phone. This will send a text message to the user’s mobile phone containing a PIN code. This code is needed to reset the password. This feature is enabled with the use of a special plug-in. If you want to use the mobile phone verification feature, contact sales@filehold.com.

SmartSoft Capture is the scanning application provided with every sale of FileHold. A license for a single copy of Capture allows for use by any number of users. There is no restriction to the number of workstations Capture can be installed on, but the concurrent use of Capture cannot exceed the total number of single copies purchased by the customer. For example, if the customer purchases 5 copies of Capture and installs the software on 20 workstations, 5 users can simultaneously run Capture. If a 6th person attempts to run Capture, they will be told they are not licensed. A timeout value can also be set for Capture licenses. The inactivity timer can be set to automatically log off users and free the Capture license for another user.

To set the logon and password security settings

  1. In the Web Client, go to Administration Panel > System Configuration> Security> Logon.

  2. Enter the number of logon attempts allowed. The user will be locked out of the system and their account disabled after the number of login attempts has been exceeded. You will need to enable their account in order to gain access to the system. The system administrator will receive an email stating that the user account has been disabled due to the exceeded number of login attempts.

  3. Enter the amount of time in minutes after which the system automatically closes sessions for inactive users. This is the amount of time that the system is idle and not in use. This frees up concurrent sessions for other users. A user is considered active whenever they perform a function that accesses the server. This setting applies equally to desktop and web client users, however, desktop users can set a connection option to automatically prevent them from becoming inactive as long as they are connected to the network. The time limit can be set to 0 to 9999 minutes with the default of 30 minutes.

TIP: There is an additional timeout for web client users to conserve memory. By default, after 15 minutes, the web client state will be purged from the server. The user will receive a message that they were timed out, but they can return to their session by clicking on the supplied link. They will not be required to login unless they have exceeded the inactivity time. The default value of the timeout can be changed on the server in the web client web.config file. The value to edit is ViewStateCacheLifetime, which is found in the <appSettings> section. As the view state cache requires memory on the server, increasing the value may increase the server memory usage.

  1. In the Expire Capture licenses after field, enter the amount of time, in minutes, that the system automatically logs an inactive user out of SmartSoft Capture. This is the amount of time that Capture is idle and not in use. This frees up a concurrent Capture license for another user. The time limit can be set to 0 to 9999 minutes with the default of 30 minutes.
  2. In the Password Settings for Locally Managed Users area, enter the minimum number of characters for the password. This applies to only locally managed users.
  3. Select one or more of the following options. These options only apply to locally managed users. They do not have any effect on existing passwords. Only newly created or reset passwords will be impacted.

  • Minimum length of a password. The largest minimum length is 99 characters.

  • Must contain a number

  • Must contain a special character

  • Must contain at least one upper case letter

  • Must contain at least one lower case letter

  • Allow password re-use

  1. Enter the number of days that the password expires. Enter 0 if the password is not to expire. This applies only to locally managed users.

  2. In the Password reset options area, in the Administrator password reset verification email expires after field, enter the amount of time in hours that the verification email for setting a password is sent from a system administrator in the Users area is valid for. If the user does not use the link in the verification email within this time period, then the link expires. The minimum amount of time is 1 hour, the maximum time is 999 hours.

  3. Select the Allow users to request a forgotten user ID with only an email address check box to allow users to request their user ID by clicking on a link on the Web Client login screen. If this option is not enabled, the “I forgot my user ID” link is not available.
    Select the Allow users to reset a forgotten password check box to allow users to set a new password by clicking on a link on the Web Client login screen. If this option is not enabled, the “I forgot my password” link is not available.

  4. In the User password reset verification email expires after field, enter the amount of time in minutes that the verification email expires after it is sent to the user requesting the password. If the user does not use the link in the verification email within this time period, then the link expires and the user will need to request the password again. The minimum time is 5 minutes, the maximum is 9999 minutes.

  5. In the Friendly system name field, enter the partial subject line for the email that gets sent to the users when resetting a password. For example, the email subject is <Friendly system name> forgotten password reset where <Friendly system name> could be “Your Company Name Inc”.

  6. In the Info email address field, enter the contact email address for the person providing assistance if the user is experiencing issues with resetting a password. This email address is provided on the email sent to the user requesting a forgotten password. For example, “Please do not reply to this email. It is an unmonitored email address and your message will not be received. If you have any questions, please contact us at contactname@yourdomainname.com.

Reset password email example

  1. Select the Force users to verify their identity with their mobile phone check box to enable a two-step verification process in order for users to reset their password. To enable, a plug in for this feature must be installed and configured. Contact sales@filehold.com for information on enabling this feature. Users must also have a mobile phone number entered in their user account details or the two-step verification process will not work.

  2. Select the Force user to provide a mobile phone number when creating an account check box to force mobile phone numbers to be entered in the Contact Information area when creating or modifying a local user account. This mobile phone number is required when using the two-step verification process. Any users without a mobile phone number will not be able to reset their password.

Logon and Password Security Settings

  1. Click Update to save any changes.