Authentication

Forgot Password

If you’ve forgot your password, you can reset it by clicking on Forgot Password

Type your user name that you use to login to Totalview, and click Send instructions

You will get a confirmation that the instructions are sent.
If you don’t get an email with instructions within 5 minutes please check your spam folder. You can also try again or you can contact your Totalview Administrator.

Within 5 minutes you’ll get an email from Totalview that looks similar to this.

Click the Change my password button. This link is only valid for 24 hours from when the request was issued.

If the link is expired, you can just request a new one.

You’ll be navigated to a Reset Password page, where you can specify a new password
Input your new password and then repeat the new password
Note the password strength checklist at the bottom. All criteria must be met before you can set a new password.

Even if your new password conforms to our password policies, you might get a warning say that the password is vulnerable.
We do not recommend you use passwords that are vulnerable, but you can do this by clicking Continue anyway.

The password vulnerability is checked by haveibeenpwned.com

When your password is change you’ll get this confirmation. Now you can login to Totalview with your new password

 

Remember me

To enable Remember me, check the Remember me check box when logging in.

Your login will be remembered for 7 days after your last login. If you don’t use Totalview for 7 days, you need to login again.

Forget me

To prevent the client from automatically logging in as you, simply log out of the client.

You can also manually delete the token from %appdata%\Totalview. Just delete the totalviewaccess.token

Change Password

To change your password open the Totalview Client and click Settings and then User.

In the User dialog click on the Change Password button in the top bar.

Changing the password 
Type your username (the same you use to login to Totalview), and your current password.
Type your new password and then repeat the new password.
Note the Password Strength checklist at the bottom. All criteria must be met to be able to change password.

Password Vulnerability

Even if your new password conforms to the password policies, you might get a warning saying that the password is vulnerable.
We do not recommend you use passwords that are vulnerable, but you can do this by clicking Continue Anyway.

The password vulnerability is checked by haveibeenpwned.com

Totalview Authentication

Change password on next login

You can force users to change their password on next login.

To do this login to Totalview Admin.
Click on User and find the user that should change password on next login.
In the bottom right corner under Login set a check mark in Require password change.

How to enable

What will change when I enable Totalview Authentication

Totalview Password and Totalview PIN

When using classic authentication the Totalview Doorway Client and Totalview Mobile App use the Totalview PIN, while the rest of the clients use the Totalview Password.
After changing to Totalview Authentication Portal only the Totalview Doorway Client will use the PIN while the Totalview Mobile App and all the clients use the Totalview Password.

Totalview Mobile App

When changing from classic authentication to Totalview Authentication Portal, all users on the mobile app must login again.
This is because the used password changes from PIN to the Totalview Password. If these differ, then their current authentication will be invalid.

Password Strength

When using classic authentication there are no password strength validations.
After changing to Totalview Authentication Portal it will enforce these password policies:

  • Must contain at least 6 characters
  • Must contain at least 3 unique characters
  • Must contain at least one uppercase character
  • Must contain at least one lowercase character
  • Must contain at least one digit

When switching from classic authentication to Totalview Authentication Portal the passwords will not be changed, and will still be allowed even if they don’t conform to the new password policies.
To force users to change password, you can check the Require Password Change for the user in Totalview Admin client.

We strongly recommend doing this after you change to Totalview Authentication Portal.

How to enable

To enable the Totalview Authentication Portal, it must be enabled on the Totalview Server, Totalview Time Server (if used), Totalview Reports (if used).

To check if the Totalview Authentication Portal server is reachable, or to verify if the URL is correct you can navigate to it in a browser. You should get a page that looks similar to this.

Enable Totalview Authentication for Totalview Server

  1. Go to your Totalview Installation
  2. Open the Server folder
  3. Edit the serverconfig.xml
  4. Set the authenticationPortal enabled to true and set the correct URL
  5. Restart the Totalview Server (find the service in services.msc and stop and restart it)

Example

Enable Totalview Authentication Portal for Totalview Time

  1. Go to your Totalview Installation
  2. Open the TimeServer folder
  3. Edit the TimeServer.exe.config
  4. Set the UseAuthenticationPortal appsetting value to true
  5. Set the AuthenticationPortalURL appsetting value to the correct URL
  6. Restart the Totalview Time Server (find the service in services.msc and stop and restart it)

Example

Enable Totalview Authentication Portal for Totalview Reports

  1. Go to your Totalview Installation
  2. Open the Totalview3Reports folder
  3. Edit the Web.config
  4. Set the UseAuthenticationPortal appsetting value to true
  5. Set the AuthenticationPortalURL appsetting value to the correct URL
  6. Restart the Totalview Reports (open cmd as admin and run the command iisreset)

Example

Setup Reverse Proxy

The Totalview Authentication Portal will generate authentication URLs to be used for the clients to authenticate. By default, the Authentication Portal will generate URLs relative to the host.

If the Authentication Portal is not running on the DMZ machine it can generate wrong addresses like ‘https://localhost/Authenticate?token=asdas-as123-asdas-123’. This can be changed by adding a Reverse Proxy to the host running on the DMZ machine.

Follow these steps if you want to setup reverse proxy for the Totalview Authentication Portal:

  1. Verify that the appsettings.json has the desired host allowed in the App:AllowedHosts field. (e.g. if you want to forward from tv.formula.fo:44430, then you want *.formula.fo in the AllowedHosts)
  2. Create the reverse proxy website on the IIS host. Just a normal website with the correct DNS that you would expect.
  3. Click on URL Rewrite
  4. In the Actions panel to the right, select View Server Variables
  5. Add the variables
    • HTTP_X_FORWARDED_HOST
    • HTTP_X_FORWARDED_PROTO
  6. Go back to URL Rewrite
  7. Click Add rule then add Reverse Proxy
  8. After the rule is created, find it and double click on the inbound rule (top one)
  9. Go down to Server Variables and click Add
  10. Select the HTTP_X_FORWARDED_HOST and write the desired reverse proxy host
  11. This should not be needed but you can select the HTTP_X_FORWARDED_PROTO and set it to https

Settings

Settings are stored in the appsettings.json file in your [TotalviewDirectory]\TotalviewAuthentication

Example

Language

This is the default language to use if nothing else is specified by the user.
If this is not specified the default language will fallback to `AcceptLanguageHeaderRequestCultureProvider` which is set by the browser by default.

UseWindowsAuthentication

If set to true, the Totalview Authentication Portal will use Windows Authentication. To use this the Totalview Authentication Portal must run on a machine with access to the Active Directory.

AllowedHosts

Restricts hosts by the X-Forwarded-Host header to the values provided.
This must be none empty and must not contain a top-level wildcard `*`.
This is used by the Reverse Proxy if it is set

  • Values are compared using ordinal-ignore-case.
  • Port numbers must be excluded.
  • Subdomain wildcards are permitted but don’t match the root domain. For example, `*.contoso.com` matches the subdomain `foo.contoso.com` but not the root domain `contoso.com`.
  • Unicode host names are allowed but are converted to Punycode for matching.
  • IPv6 addresses must include bounding brackets and be in conventional form (for example, `[ABCD:EF01:2345:6789:ABCD:EF01:2345:6789]`). IPv6 addresses aren’t special-cased to check for logical equality between different formats, and no canonicalization is performed.
  • Failure to restrict the allowed hosts may allow an attacker to spoof links generated by the service.

Read more here

KnownProxies

Addresses of known proxies to accept forwarded headers from. Use `KnownProxies` to specify exact IP address matches.
The default is an `IList<IPAddress>` containing a single entry for `IPAddress.IPv6Loopback.`
This is used by the Reverse Proxy if it is set.

Read more here

Mail Options

Example

{
…,
“MailOptions”: {
“MailProvider”: “Exchange”,
“ExchangeOptions”: {
“SenderEmailAddress”: “no-reply@somedomain.com”,
“SenderPassword”: “Password1”,
“IsHttpsRequired”: true,
“ExchangeVersion”: 0
},
“SmtpOptions”: {
“SenderEmailAddress”: “no-reply@somedomain.com”,
“Host”: “mail.somedomain.com”,
“Port”: 25,
“UseSsl”: false,
“RequiresAuthentication”: false,
“UserName”: “”,
“Password”: “”
}
}
}

MailProvider

Can be Exchange or Smtp. This will determine what service and options will be used.

ExchangeOptions

SenderEmailAddress

The email address that will send the emails.
This will be used as the user name for the WebCredentials for the exchange service.
It will also be used for the auto discovery of the Exchange service.

SenderPassword

Password for the exchange account.

IsHttpsRequired

If this is set to true, the Service will only accept https endpoints from the auto discover.

ExchangeVersion

The number of the exchange version (i.e. for `Exchange2007_SP1` the ExchangeVersion would be `0`

  • Exchange2007_SP1 = 0
  • Exchange2010 = 1
  • Exchange2010_SP1 = 2
  • Exchange2010_SP2 = 3
  • Exchange2013 = 4
  • Exchange2013_SP1 = 5
  • Exchange2015 = 6
  • Exchange2016 = 7
  • V2015_10_05 = 8

SmptOptions

SenderEmailAddress

The address of the sender’s mailbox.

Host

The host to connect to.

Port

The port to connect to. If the specified port is 0, then the default port will be used.

UseSsl

true if the client should make an SSL-wrapped connection to the server.

RequiresAuthentication

true if the host requires authentication.

UserName

The user name (Only used if RequiresAuthentication is true).

Password

The password (Only used if RequiresAuthentication is true).

ConnectionStrings

DefaultConnection

The connection string to the Totalview Database.

Logging

Valid logging levels are:

  • Trace
  • Debug
  • Information
  • Warning
  • Error
  • Critical
  • None

LogLevel

  • Default: The recommended values is Information
  • Microsoft: The recommended values is Error

Totalview Authentication

Totalview Authentication Portal is a centralized authentication module for the Totalview Suite. The primary function is to have all authentication for the Totalview Suite in one place, and to use a token based authentication, so the user only has to login when necessary.

With the Totalview Authentication Portal you get features like Time based ‘remember me’, forgot password, password strength validation, and force change password.