Pointsharp password

Pointsharp password removes the need for a domain password during the authentication. When Pointsharp password is used, Pointsharp ID stores an encrypted password for the user in the Pointsharp ID storage.

The Pointsharp password functionality can be enabled for most authentication methods used in Pointsharp ID. Go to the Authentication tab and enable Pointsharp password for the desired authentication method.

With the use of Pointsharp password, the domain password does not have to be stored on the mobile device, and never be sent over the Internet.

The password can be administered by an administrator in Admin Portal or by the user in User Portal. The Pointsharp password can also be reset by using Pointsharp Password Reset.

Parameter Description

Parameter	Description
Password Alphabet	Define the allowed characters to be used in the Pointsharp password. For example, set this to numerics only, if the password is to be defined by numbers only. Default allowed characters are set to `234567892345678923456789abcdefghijkmnopqrstuvwxyz`.
Block User Storage Password	Enable this to prohibit users from setting or resetting their Pointsharp passwords to the user’s password, in the user storage. The default value is false.
Password Length	Set this to the valid length of the password. The default value is 8.
Password History	Set this to the number of password that are to be stored in the password history. User-initiated password changes will be checked against this password history, and if a match is found then the password change is not allowed. Default this is set to 3.
Password Expires In (days)	The number of days the Pointsharp password is valid. When the password is older than this value, the password is considered expired, and the user must change the password by authenticating with an Account Status Check-enabled authentication method. Default this is set to 0, i.e. passwords will never expire.
Store Reversible Passwords	Enable this to store Pointsharp passwords reversible and encrypted. This must be enabled when authenticating users with the NTLM or the PEAP authentication method (PEAP-MSCHAPv2). Default this is set to false and passwords are stored as salted hashes based on SHA-512.
Restore Irreversible Passwords	If existing users have Pointsharp passwords stored non-reversible, and the users are supposed to authenticate with the NTLM or the PEAP authentication method, then the passwords must be restored in a reversible and encrypted way. By enabling this setting, the user’s password will be restored the next time the user authenticates successfully. Default this is set to false and passwords are stored as salted hashes based on SHA-512.

Password Alphabet

Define the allowed characters to be used in the Pointsharp password. For example, set this to numerics only, if the password is to be defined by numbers only.

Default allowed characters are set to 234567892345678923456789abcdefghijkmnopqrstuvwxyz.

Block User Storage Password

Enable this to prohibit users from setting or resetting their Pointsharp passwords to the user’s password, in the user storage.

The default value is false.

Password Length

Set this to the valid length of the password.

The default value is 8.

Password History

Set this to the number of password that are to be stored in the password history. User-initiated password changes will be checked against this password history, and if a match is found then the password change is not allowed.

Default this is set to 3.

Password Expires In (days)

The number of days the Pointsharp password is valid. When the password is older than this value, the password is considered expired, and the user must change the password by authenticating with an Account Status Check-enabled authentication method.

Default this is set to 0, i.e. passwords will never expire.

Store Reversible Passwords

Enable this to store Pointsharp passwords reversible and encrypted. This must be enabled when authenticating users with the NTLM or the PEAP authentication method (PEAP-MSCHAPv2).

Default this is set to false and passwords are stored as salted hashes based on SHA-512.

Restore Irreversible Passwords

If existing users have Pointsharp passwords stored non-reversible, and the users are supposed to authenticate with the NTLM or the PEAP authentication method, then the passwords must be restored in a reversible and encrypted way.

By enabling this setting, the user’s password will be restored the next time the user authenticates successfully.

Default this is set to false and passwords are stored as salted hashes based on SHA-512.

Example 1. Reversible passwords

Let us give an example:

Pointsharp ID was default setup (that is Store Reversible Password set to false).
The users were added and received a Pointsharp password.
The users authenticated successfully with Pointsharp password.
Now the users should be able to authenticate with NTLM or PEAP, for Wi-Fi access, for example. But this is not possible since the Pointsharp passwords are stored irreversibly on the users.
Enable Restore Irreversible Passwords.
Restart the system.
Ask the user to authenticate again with any authentication method using the Pointsharp password (of course not using the NTLM or PEAP authentication method).
The Pointsharp password for the user has now been restored, and is reversible and encrypted.
Ask the user to authenticate, but now with the NTLM or PEAP authentication method using the Pointsharp password. This should now work.

Pointsharp password user notification

Here is the user notification configured for Pointsharp password.

Parameter Description

Parameter	Description
User Attribute	Set this to the user attribute, stored on the user in the user storage, holding the destination address to use when notifying the user about the Pointsharp password. For example, when using a notification method that is using SMTP, set this to mail or mobile when an SMS-based notification is used. Leave this blank to disable the user notification.
User Notification	Select what notification method to be used when notifying the user.
Secondary	Select what secondary notification method to be used when notifying the user.
Text	The text to use when notifying the user about the Pointsharp password. In this text `{username}` and `{password}` is replaced with the username and the Pointsharp password.

User Attribute

Set this to the user attribute, stored on the user in the user storage, holding the destination address to use when notifying the user about the Pointsharp password.

For example, when using a notification method that is using SMTP, set this to mail or mobile when an SMS-based notification is used.

Leave this blank to disable the user notification.

User Notification

Select what notification method to be used when notifying the user.

Secondary

Select what secondary notification method to be used when notifying the user.

Text

The text to use when notifying the user about the Pointsharp password. In this text {username} and {password} is replaced with the username and the Pointsharp password.

Pointsharp password admin notification

Here is the administration notification configured for Pointsharp password.

Parameter Description

Parameter	Description
Admin Address	Set this to the destination address to use when notifying the administrator about the Pointsharp password. For example, when using a notification method that is using SMTP set this to a valid email address or a mobile phone number when an SMS-based notification is used. Leave this blank to disable the notification.
Admin Notification	Select what notification method to be used when notifying the administrator.
Secondary	Select what secondary notification method to be used when notifying the administrator.
Text	The text to use when notifying the administrator about the Pointsharp password. In this text `{username}` and `{password}` is replaced with the username and the Pointsharp password.

Admin Address

Set this to the destination address to use when notifying the administrator about the Pointsharp password. For example, when using a notification method that is using SMTP set this to a valid email address or a mobile phone number when an SMS-based notification is used.

Leave this blank to disable the notification.

Admin Notification

Select what notification method to be used when notifying the administrator.

Secondary

Select what secondary notification method to be used when notifying the administrator.

Text

The text to use when notifying the administrator about the Pointsharp password. In this text {username} and {password} is replaced with the username and the Pointsharp password.

Pointsharp password storage

Configure the Pointsharp password storage here. The Pointsharp password storage is used with AD LDS to create a clone of existing storage with minimal information for authentication.

Parameter

Description

Enabled

Enable/disable password storage functionality.

If Pointsharp password storage is defined, this will also enable/disable all "shadow users" in the Pointsharp password storage.

Default this is set to false.

Storage

Add/Edit/Remove storage.

Password storage is created on first Pointsharp password creation.

Storage must use SSL.

Attributes Mapping

Map a user storage user attribute to a password storage user attribute.

Default attributes are displayname, userprincipalname, mail, mobile.

The attribute names have to be in lowercase.