Work with user names and passwords
Each user is assigned a user name and password.
User names can be up to 70 characters in length and cannot contain the following characters: *%?:;()|#
Passwords maintain system security. Passwords are case-sensitive and cannot contain spaces or underscores. Do not use reserved characters, such as slashes, asterisks, periods, hyphens, parentheses, and so on, in any password.
Within the system, you can perform the following tasks to manage passwords:
Note: Starting with v8.1.9, when a password is changed (either by the user or by the Superuser, manager, or administrator), the system immediately terminates all of the user's active sessions. If the user attempts to continue to work in the system, an error message is displayed. The user must log into the system using new password. The same behavior is occurs when an account is locked by the Superuser, manager, or administrator.
To change a password, click the Change Password link.
- Enter the current password in the Old Password field.
- Enter the new password in both the New Password and Verify Password fields.
Note: If you are a system administrator, you can see a list of system accounts, for which you can also change the password. Use caution when changing system account passwords. The change can interfere with system processes.
- Click Tap Change Password Now to save the changes.
Note: Depending on the configuration at your site, you can select and provide answers to security questions after you change your password.
System passwords changed using this screen must match changes made in other system components. In addition you must change system settings for XMLUser, 4500User, WBAUser.
The XMLUSER account is the system user account that is used for server-to-server communications and for working with the APIs. If you change the XMLUSER system account password, you must change the value the property, global.xmlservice.login password, to match the new system account password.
- Log on to UKG Workforce Central as SuperUser
- Select Setup > System Configuration > System Settings.
- Click the Global Values tab.
- Enter the new system account password for XMLUser in the following property:
- global.xmlservice.login.password
- Log off UKG Workforce Central.
- Log on to UKG Workforce Central as XMLUSER, using the original password (not the password you just entered in System Settings).
- Click the Change Password link.
- Enter the old password, the new password, and the verification password for xmluser.
- Log off UKG Workforce Central.
- Stop and restart the application server.
Impact of XMLUSER password change
If you change the XMLUSER password and your notification server uses the XMLUSER account, you must also change the password for all instances of the notification server. The password must be encrypted.
To encrypt the password, you must first identify the encryption key:
- Open a command window as an administrator on the application server and navigate to \\Kronos\openfire\ns\conf and open openfire.xml with a text editor.
- Search for the <random> tag and copy the text between the <random> and </random> tags, for example:
- <random>6sefm114ntr8dmkelbuwodho2cql</random>
- This is the encryption key.
- Close the file.
Next you must run the krencryptNS tool:
Note: UKG Workforce Central also includes a krencrypt tool, which is used when database passwords need to be encrypted for places other than the notification server. Do not use krencrypt to encrypt passwords that are used by the notification server.
- With the command window still open, navigate to:
- \\Kronos\configuration\boms\bin
- Enter the following:
- krencryptNS password encryptionkey
- where:
- password is the notification server password used by XMLUSER.
- encryptionkey is the encryption key you copied from openfire.xml.
- Save the encrypted text that the system returns.
Note: If you need to change the encryption key, it must be regenerated and system passwords must be re-encrypted using the new key. See your UKG Representative for a copy of the System Password Management document.
After you have the encrypted password, edit the openfire.xml file for each notification server in your environment:
- Navigate to \\Kronos\openfire\nsx\conf\
- where nsx is the name of a notification server, for example ns1, ns2, and so forth.
- With a text editor, open openfire.xml and replace the password tag with the encrypted password from previous step.
- <xml>
<api>
<username>XMLUSER</username>
<password>EncryptedPassword</password
</api>
</xml>
- where EncryptedPassword is the password that you encrypted in step 1.
- Save the file and restart the notification server.
- Repeat steps 1–3 of all notification servers in your environment.
The 4500User account is the system account that is used for device-to-server communications. The user name and new password are case-sensitive.
If you apply a change in the SuperUser account password to the 4500User system account, you must also change the password in the property, global.m8m.login.password, to match the new system account password.
- In UKG Workforce Central, select Setup > System Configuration > System Settings.
- Click the Global Values tab.
- Enter the new system account password for 4500User in the following property:
- global.m8m.login.password
- Click Save.
The WBAUser system account is used for Process Manager and Process Designer administration.
If you apply a change in the SuperUser account password to the WBAUser system account, you must also change the password in the property, global.wba.login.password, to match the new system account password for WBAUser.
- In UKG Workforce Central, select Setup > System Configuration > System Settings.
- Click the Global Values tab.
- Enter the new system account password for Process Manager and Process Designer in the following property:
- global.wba.login.password
- Click Save.
Impact of password change on Process Designer
If you change the WBAUser account password, you must also change the account information at each client PC where Process Designer is installed and loaded.
To change the password on each client PC:
- Launch Process Designer, for example, select Start > Programs > Kronos > Process Designer > Kronos Process Designer.
- In the Process Designer Logon box, enter the URL of the UKG Workforce Central web server as well as the SuperUser user name and password, and then click Options.
- In the Options box, enter the new password for WBAUser, enter it again to confirm, and then click OK. The password changes immediately.
- When the Process Designer Logon box returns, click Logon or Cancel.
You can configure a message that warns users that their password will expire in a certain number of days. The message appears when the user logs on to the system. The user has an option to either ignore the warning for the time being or change the password. and provides the option to change the password.
To configure the password expiration warning:
- Navigate to Setup > System Settings > Global Values .
- Set global.warn.prior.to.expiration to true.
- In the global.warn.prior.to.expiration.day setting, enter the number of days before the warning should appear.
- Click Save.
You can set authentication so that a user who logs on to the browser can automatically log on without having to re-enter a user name or password. This process is called single sign-on.
You can set browsers to remember passwords so that users can log on more quickly. You can also disable Password Save.
Caution: Use discretion if you decide to use this capability.
Use the following methods to enable or disable Password Save:
- Setting Password Save With a Deployment Tool — Using this method, you can simultaneously enable or disable this capability for all the browsers that use your site. Users cannot change this setting.
- Setting Password Save From User Desktops — If the browsers are already on user desktops, change this setting at each browser. You cannot prevent users from altering the setting.
See Client security for more information.
The Super User system user account, SuperUser, is the highest-priority system user account that the system administrator uses. Kronos recommends that a limited number of users use this account.
Note: For a SQL Server database, SuperUser is case-sensitive in offline mode only. Online mode is case-insensitive, for example:
- Online mode: SuperUser
- Offline mode: superuser
To change the SuperUser password in online mode:
- Log on at:
- http://web_server/instance/navigator/logon
- where web_server is the name of the machine where the web server software is installed and instance is the name of the instance. The URL is case-sensitive.
- Enter the default logon with the user name, SuperUser, and the applicable password.
- Click the Change Password link. The Change Password page opens.
- Enter the old password, then enter the new password twice.
- You can also select one or more system accounts, such as Import and XMLUser, and change those passwords as well.
- Click Change Password Now to save the new password, or click Refresh to reset the page with the password from the database.
Note: As of the release of UKG Workforce Central v8.1.17, the option to log on in offline mode is no longer available.
To change the superuser password in offline mode:
- Log on to the offline page at:
- http://web_server/instance/offlineLogon
- where web_server is the name of the machine where the web server is installed and instance is the name of the instance, typically wfc. The URL is case-sensitive.
- Enter the default logon with the default user name, superuser, and the applicable password.
- Select Setup > System Configuration > System Settings.
- Click the Security tab.
- Change the site.security.authentication.offline.password value.
- Click Save.
Make subsequent logins as superuser, using the new password.
Enhance client security:
- Setting Password Save With a Deployment Tool — Simultaneously enable or disable this capability for all the browsers that use your site. Users cannot change this setting.
- For Microsoft Internet Explorer browsers, use the Microsoft Internet Explorer Administration Kit Customization Wizard. Turn on or off the AutoComplete function, then deploy the browsers to user desktops.
- Setting Password Save From User Desktops — If the browsers are already on user desktops, change this setting at each browser. You cannot prevent users from altering the setting.
- For Microsoft Internet Explorer browsers, turn on or off AutoComplete through Tools > Internet Options > Content.
Use the Reset Password - Security Questions feature to implement security questions for password resets. When users forget their passwords, they can answer security questions and reset passwords without contacting a system administrator.
Implement the Reset Password feature using settings on the Global Values tab in System Settings. You can:
- Enable the Forgot your password? link and security questions.
- Require users who do not have questions and answers to select questions and provide answers when they next log on to the system.
- Specify the number of security questions users must answer before they can reset their password.
- Specify the number of security questions users must select and type in answers at setup.
- Use the defaults or edit the security questions that users can select.
- Specify the number of characters that can be used in response to security questions.
- Specify the number of times users can enter a false response before their account is locked and they must contact the system administrator.
For more information, see Global Values.
Note: Users who log on as SuperUser cannot select security questions.
A new link, Forgot your password?, appears on the suite logon page. This link is enabled when the system setting global.security.authentication.question.RequireSecurityQuestions on the Global Values tab is set to True.
Users with security questions and answers must enter their user name before they can use the link to reset their password.
If users leave the User Name text box empty and click Forgot your password?, a Security Question page opens and requires that they enter their user name. If a user does not have a valid user name, the user cannot proceed and must contact a system administrator.
The SuperUser user cannot access the Forgot your password? link.
Security questions enable users to provide answers that identify them to the system when they forget their password. On the Global Values tab in System Settings, you specify the number of questions the user can select and answer. You can use the default questions installed with the system or edit those questions. The system encrypts the answers using the same method used for encrypting passwords. You cannot view or decrypt the answers.
To enable and configure security questions, select Setup > System Configuration > System Settings, click the Global Values tab, and do the following:
- Change the following setting to true:
- global.security.authentication.question.RequireSecurityQuestions
- When you set this property to true, users are required to select their security questions the next time they log on. If they do not select their security questions, they cannot log on.
- Set the following property to true if you also want to require users to change their security questions when they change their passwords:
- global.security.authentication.question.SetUpQuestionsAtChangePassword
- Modify the attributes of the security questions as necessary or leave the default values:
- Enter the number of maximum characters allowed for the response (default value is 64 characters):
- global.security.authentication.question.MaxNumberOfCharactersInASecurityResponse
- Enter the number of consecutive false responses allowed before lock out (default value is 3 false responses):
- global.security.authentication.question.MaxNumberOfFalseResponsesToASecurityQuestion
- Enter the number of minimum characters allowed for the response (default value is 6 characters):
- global.security.authentication.question.MinNumberOfCharactersInASecurityResponse
- Enter the number of security questions that will be asked if a user forgets his or her password (default value is 1 question):
- global.security.authentication.question.NumberOfQuestionsToAskEnter the
- number of security questions that will be available to each user (default value is 3 questions):
- global.security.authentication.question.NumberOfSecurityQuestionsPerUser
- Click Save and close Setup.
- Run QuickFind, select the applicable group of employees, click Go To, and select People Editor.
- Select the Person tab and navigate to User Information.
- Select Require password change at the next logon check box.
- Click Save.
- Repeat step 5 for all selected employees.
When the Security Question Setup page opens, the user selects the questions to answer when the user first logs on, or changes his or her password.
Depending on the system configuration, users can select one or more questions and provide answers. Both are stored in the system. One or more of the questions appear when the user clicks Forgot your password?. The user must provide an answer that matches the answer in the system.
To set up security questions, the user does the following:
- On the Security Question Setup page, select a question from one of the drop-down lists in the Questions column.
- Type the answer in the corresponding text box in the Answers column.
- Repeat steps 1 and 2 until you have selected as many questions as you can.
- Click:
- Submit Security Questions to save the changes.
- Refresh to cancel your changes and start again.
When UKG Workforce Central is installed, a default password is delivered for the SuperUser account. Although we have always recommended changing this password, v8.1.13 now issues the following warning message:
Insecure password usage detected for user: SuperUser. Please change the password.
This message appears in the following circumstances:
- When the SuperUser administrator runs Database Manager to upgrade or reconcile the database version (Run Scripts or Reconcile button), the warning message is written to the Database Manager log.
- When the application server (JBoss) starts up, the warning message is written to the StartupInfo.log.
- When the SuperUser administrator successfully logs in with the default password, the warning message appears.
- After several successful login attempts with the default password, the Change Password screen is displayed and the user is forced to change the password.
Note: After changing the SuperUser password, the user must change the SuperUser password in other client utilities such as XML API, SOAP UI, Process Designer, Nav Reports, Worksheets, Integration Manager, and the Attestation Toolkit.