Kerberos SSO and authentication
Set and reset user passwords with support for password policies and OTP authentication. Password changes trigger automatic policy validation and can require old password verification. Features include self-service password changes, administrative password resets, OTP integration for two-factor password changes, and automatic password expiration for initial administrator-set passwords requiring user change on first use.
Manage Kerberos ticket lifetime and renewal policies. Ticket policies control maximum ticket lifetimes, renewable lifetimes, and maximum renewable age for both users and services. Features include per-user and per-service policy overrides, global default policies, and integration with MIT Kerberos for enforcing authentication session limits and ticket renewal windows.
Configure global one-time password authentication settings. OTP configuration defines TOTP and HOTP parameters including algorithm selection (SHA1, SHA256, SHA512), token time step intervals, and authentication window sizes. Features include configuration modification for organization-wide OTP standards and integration with user OTP tokens for two-factor authentication enforcement.
Manage one-time password tokens for two-factor authentication. OTP tokens provide TOTP (time-based) and HOTP (counter-based) authentication for users. Features include token creation and import, QR code generation for mobile authenticator apps, token synchronization, enable/disable controls, token removal, and support for hardware tokens and software authenticators.
Configure global passkey and WebAuthn authentication settings. Passkey configuration defines requirements for FIDO2/WebAuthn authentication including relying party ID and user verification settings. Features include organization-wide passkey policy configuration and integration with user passkey registration for passwordless and multi-factor authentication support.
Configure PKINIT for certificate-based Kerberos authentication. PKINIT enables users and services to obtain Kerberos tickets using X.509 certificates instead of passwords. Features include anonymous PKINIT support and configuration of certificate validation requirements for flexible, certificate-based authentication workflows.
Manage RADIUS proxy servers for external authentication and two-factor authentication integration. RADIUS proxies enable integration with external authentication systems, hardware tokens, and managed authentication services. Features include proxy server configuration with secrets, timeout and retry settings, user assignment, and support for per-user RADIUS server configuration and username mapping.