Password Expiration Policy - How to Configure
Admin Configuration Guide
This feature is available for private cloud and on-premise installations only. It is not available on aqua SaaS.
Overview π
The password expiration policy allows administrators to enforce periodic password changes for all standard users in the environment. When enabled, users whose passwords have exceeded the configured period will be required to set a new password before they can log in.
Prerequisites
Private cloud or on-premise installation
Access to the aqua server configuration file (
appSettings)aqua version 26.26 or newer
Configuration Parameters
All settings are configured by adding keys under <appSettings> in the following file on the aqua server:
aquaWebService\Web.configPasswordExpiryEnabled
false
Master switch β enables or disables the feature globally
PasswordExpiryDays
90
Number of days a password remains valid before the user is forced to set a new one on their next login
PasswordMinimumAgeHours
24
Minimum time (in hours) before a user can change their password again voluntarily
PasswordHistorySize
5
Number of previous passwords blocked from reuse.
Set to 0 to disable history checks
AccountLockoutEnabled
false
Enables account lockout after repeated failed login attempts
AccountLockoutMaxAttempts
5
Number of consecutive failed logins before an account is locked
AccountLockoutDurationMinutes
30
Duration in minutes for which the account remains locked
Add the following block:
To disable the individual feature, either set its value to 0 or omit the key entirely
First-time activation β±οΈ
When the feature is enabled for the first time, all existing users will have no password change date on record. The system will treat all of them as expired immediately. Every user will be required to set a new password on their first login after the feature is activated. Plan for this and communicate to your users in advance.
Who Is Affected
The policy applies to all standard aqua users who authenticate with aqua's native password-based login.
The following users are exempt by default and are not affected by any of these settings:
Technical users: Sync users, API users
Users authenticating via SAML, Active Directory, or LDAP β their password management is handled by the external provider
Per-user exemption β server administrators can flag individual users (e.g. the Jira plugin's technical user) as Exempt from password expiry in the user profile.
Important: Jira Plugin users β manual exemption required
Due to implementation specifics of the Jira Plugin integration, automatic exemption cannot always be guaranteed for Jira Plugin users. When enabling the Password Expiration Policy, administrators must manually verify and exempt Jira Plugin users via the User Administration UI. Failing to do so may cause the Jira Plugin integration to stop working.
The toggle is only shown when the expiry feature is enabled.
Account Lockout
With this parameter enabled, accounts are temporarily locked after a configurable number of consecutive failed login attempts.
To unlock a user immediately, an admin can deactivate and reactivate the user account in the admin UI. Lockout events are recorded in the audit log.
Technical users and externally authenticated users (AD/LDAP) are exempt from lockout.
Known Limitation β Desktop Client
Password expiration is enforced via the web client only. If a user's password expires and they are using the aqua desktop client, they will not be able to log in via the desktop client until their password is changed. They must log in via the web client to complete the password change, after which desktop login will work again.
Workarounds:
The user logs in via the web client and completes the password change flow
An admin resets the user's password manually
Last updated
Was this helpful?