Password Validation on Windows Systems

Note	The information in this section is only relevant to the Windows variant of the iProcess Engine.

If the iProcess Engine is running on a machine that is a member of a domain or a domain controller, it uses the search path provided by the Windows LookupAccountName function to find the location it should use to validate a user’s password when they try to log in.

However, there are two ways in which you can override this behavior and directly specify the location where password validation is to be performed, either on a per-user basis, or globally for an installation:

the SW_DOMAIN user attribute specifies a single valid machine name or domain name that should be used to validate a particular user’s password when they attempt to log in to the iProcess Engine. See TIBCO iProcess Windows (Workspace) Manager’s Guide for more information about this attribute and how to set it.

the LOGON_OS_LOCATION process attribute defines the default location where passwords should be validated when any user attempts to log in to the iProcess Engine. See the "Administering Process Attributes" section of the TIBCO iProcess Engine Administrator’s Guide for more information about this attribute and how to set it.

Note

Note that:

•

If both attributes are set, the SW_DOMAIN value takes precedence over the LOGON_OS_LOCATION value.

•

If the iProcess Engine is running on a standalone machine, passwords are always validated against local machine accounts. The SW_DOMAIN and LOGON_OS_LOCATION attributes are ignored even if they are set.

If you use the SW_DOMAIN or LOGON_OS_LOCATION attributes, your UVAPI package must be able to receive and return the additional information about a user’s location, to ensure that their password is checked in that location.

To facilitate this, the UVAPI includes extended (_ex) versions of the following interfaces:

•

uva_next_user_ex

•

uva_user_info_ex

•

uva_change_password_ex

•

uva_check_password_ex

•

uva_set_user_identity_ex

These interfaces can accept (and, in the case of uva_next_user_ex, return) an iProcess user name in either of the following formats:

Format	Description
name	name is the iProcess user name. This format is also supported by the equivalent non-extended interfaces.
name@location	name is the iProcess user name. location is the value (machine or domain name) provided by either the user’s SW_DOMAIN user attribute (if defined), or the value of the LOGON_OS_LOCATION process attribute. This format is not supported by the equivalent non-extended interfaces.

Format

Description

name

name is the iProcess user name.

This format is also supported by the equivalent non-extended interfaces.

name@location

name is the iProcess user name.

location is the value (machine or domain name) provided by either the user’s SW_DOMAIN user attribute (if defined), or the value of the LOGON_OS_LOCATION process attribute.

This format is not supported by the equivalent non-extended interfaces.

If your UVAPI package supports these extended interfaces, they are called instead of the non-extended interfaces. If these interfaces do not exist or return ER_NOT_SUPPORTED (see Interface Support), the non-extended interfaces are called instead.

You should ensure that you use these extended interfaces if you use the SW_DOMAIN or LOGON_OS_LOCATION attributes.

Did you find this helpful?

Yes No