Adaxes Web Interface HelpShow AllHide All

Prevent Username Compromising

For user convenience, Adaxes Web Interface displays the username of the last logged in user on the Sign In page. Also, the username entered on the Sign In page is displayed automatically on the 1st step of Self-Service Password Reset and on the form where users change their expired passwords. For this purpose, Adaxes stores usernames in browser cookies and passes them as a part of URLs. In addition to that, auto-complete is enabled by default on the Sign In page. This can expose AD usernames to compromise, especially when the Web interface is available from the outside. To prevent username compromising:

  1. Close the Web Interface Customization tool.

  2. Open the Web.config file with a text editor. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type> on the computer where the Web Interface is installed.

  3. Set the preventUsernameDisclosure attribute of XML element configuration\softerra.adaxes\web.ui\signinOptions to true. 

    <configuration>
    ...
    <softerra.adaxes>
        ...
        <web.ui ...>
            ...
            <signinOptions preventUsernameDisclosure="true" />

  4. Save the file.

Copyright © 2009-2017 Softerra, Ltd.Send a feedback to Softerra