GFDL - Geophysical Fluid Dynamics Laboratory

Introduction to Accounts & Passwords

All scientific users at GFDL are issued 3 accounts upon initial account creation. This includes a GFDL local Active Directory (AD) account, an R&D HPCS account and a NOAA email account. Each of these are completely separate from the other and are contained within their own domain. NOAA is trending towards a 2-factor authentication architecture. As of right now, only the R&D HPCS domain is fully using 2 factor and contains no passwords. With that account you receive an RSA token.

The GFDL local Active Directory (AD) account is used for accessing GFDL specific hosts/devices and some internal applications such as Service Desk. If you are logging into a GFDL console, without CAC, you are using your AD password. Your AD password needs tor be updated every 60 days.

Your NOAA Email Messaging System (NEMS) password is apart of your NOAA email and Google account. This is controlled by NOAA and not the GFDL IT staff. This password will NEVER be used to access any devices. It is ONLY used for email and authentication into some applications like Help Desk and Wikis. This may help you determine which password to use when. If you are every not sure about which password to use when authenticating into a service or host, try both your GFDL and NOAA account. The usernames should be the same. When changing your GFDL and NOAA passwords, you may choose to set them to be the same for convenience. That password will need to still meet the strength criteria for each domain. The NOAA NEMS passwords, technically, never needs to be changed.

GFDL recently transitioned from OpenLDAP to Active Directory within the GFLD domain (see green bubble below). There are just a couple of applications still using that legacy username and password. If you are not using FTP, you can completely disregard the OpenLDAP account and password.

The RSA token is strictly for the HPC domain. This is used to log into the R&D HPCS Super Computers. NOAA is trending away from passwords and to 2-factor authentication. Below is a diagram to help explain the different domains. Our temporary environment technically includes three completely separate passwords, AD, LDAP and NEMS.

Passwords

GFDL (Active Directory) Passwords

GFDL Passwords must adhere to the NOAA standard policy:

  • Password History – Cannot be last 24 passwords used.
  • Maximum password age – 60 days
  • Minimum password age – 2 days
  • Minimum password length – 12 characters.
  • Contains at least one uppercase, one lowercase, one digit, and one non-alphanumeric character
  • Does not contain three or more consecutive characters from your account name
  • Does not contain any common (dictionary) words that are four or more characters in length
  • Does not contain any white space characters (no spaces or tabs)
CAC authentication is a subsitute for for your GFDL AD password.

Changing Your GFDL Active Directory Passwords

When it comes time to change your password, please follow the instructions below in the order listed. Internet access is required. This password change will be reflected on all of your GFDL issued computers. There is no need to change your password on your local machine. For GFDL issued laptops, it is suggested that you connect your device to the wire shortly after changing your password so that it get’s updated and no longer thinks your password will expire.

  1. Go to https://passwords.gfdl.noaa.gov
  2. Login with your GFDL Workstation (Active Directory) Username and your GFDL Workstation (Active Directory) password
  3. Click “Self Service”
  4. Decide on a password that meets the posted criteria.
  5. Select “Username (Active Directory)” for the “Select Account(s)” question
  6. Type in your current password in “Old Password” and the new password you created from step 4.
  7. Click OK

Changing Email (NEMS) Password

1. Decide on a password that meets the following criteria:

  1. At least 12 characters in length
  2. Contains at least one uppercase, one lowercase, one digit, and one non-alphanumeric character
  3. Does not contain three or more consecutive characters from your account name
  4. Does not contain any common (dictionary) words that are four or more characters in length
  5. Does not contain any white space characters (no spaces or tabs)
  6. Character does not repeat itself more than 6 consecutive times
  7. Cannot have been used within the past 24 passwords
2. Go to https://googlesync.noaa.gov/ and click ‘Change password for both NEMS and Gmail’. Properly fill in the the cells for login name, current password, new password, confirm new password and then click ‘Update password on NEMS and Gmail’.

Linking Legacy LDAP Password

Your legacy LDAP password is still being used for applications like FTP and the Cobweb server. This password can be linked to Active Directory passwords. Linking will only need to be done once. Once it is linked, you will have the option of updating that password whenever you update your password via the https://passwords.gfdl.noaa.gov tool. If you encounter any issues, open a help desk ticket.
  1. Login to https://passwords.gfdl.noaa.gov (Login with your GFDL Active Directory username and password)
  2. Navigate to the Self Service tab (if not already there)
  3. Click “Link Accounts”
  4. From there you configure your OpenLDAP account. Username will be your 3 letter initials, Provider/Service = OpenLDAP and Host Name = ildap1.gfdl.noaa.gov.
  5. Click “Link”

Password Change Notifications

Users will only be notified to change their passwords when they log into their machine with their username and password if it’s less than 15 days until the password expires. This message will occur on all GFDL Macs, Windows and Linux workstations/laptops. Every login after that will inform the user of how many days they have remaining. Email messages will no longer be sent out for password updates. If a user does not log into a GFDL workstation within 15 days of password expiration, they will still be able to login with their current password the next time they try but will be forced to change their password immediately after authenticating.

We are now enforcing a minimum password age of 2 days. This means users cannot change a password until 48 hours after the previous password change.

Password Change Issues

Listed below are several common issues that can occur with password updates. Please find your issue/question and follow the suggested resolutions. If you are still stuck, please enter a help desk ticket at https://helpdesk.gfdl.noaa.gov.

It won’t accept my new password

Please verify that it meets the criteria specified Changing Passwords. If you are not sure that your password meets the criteria, try a new password that confidently does. Please verify that CAPS lock is not on.

It won’t accept my old password

Please verify that you are entering it correctly and that CAPS Lock is not on. If you no longer remember your old GFDL Active Directory password, you may go to https://passwords.gfdl.noaa.gov and select “Reset Password”. Follow the insturctions provided. An email with a link to reset your password will be sent to your NOAA email address. If you cannot remember your NOAA email password, please enter a help desk ticket requesting a temporary password.

My passwords don’t match but I want them to

If you have not updated your GFDL AD password in 48 hours, you can follow the steps to update all of your passwords to the same password as long as they match the criteria. If you don’t remember a password, please open a help desk ticket requesting a temporary password for that domain.

I changed my AD password within 48 hours but not my NOAA NEMS (email)

You can change your NOAA NEMS (email) password separately at https://googlesync.noaa.gov/. Same criteria applies.

Criteria at Googlesync page doesn’t match our instructions

Thank you for noticing. AD password criteria is more strict than our NOAA NEMS passwords in some ways and vice versa. To provide users instructions that allows them to set the same password for both domains means they both have to meet the most restrictive criteria.

Why can’t I change my password again within 48 hours

This is a very common security policy that we are forced to implement. This cannot be changed.

I can’t login to certain applications with my username and password

Please try using a previous password to gain entry. Some applications such as Cobweb and FTP still use a legacy authentication protocol called LDAP. These applications are being updated to use AD username and passwords. You can update your LDAP password by going to the https://passwords.gfdl.noaa.gov and linking your LDAP account. see Linking LDAP Account documentation.

Google 2-Step Verification

NOAA will be mandating the use of Google 2-Step Verification (2-SV) starting on August 31, 2015. Accounts that do not comply will be disabled. For information on Google 2-Step Verification, please reference https://sites.google.com/a/noaa.gov/noaa-ums/mail/2sv.
Suggestions when using 2-SV:
  • Do not use a phone number that another NOAA Google user may be using for their verification codes
  • Clearing out your web browser cache will result in you needing to provide a verification code at your next login
  • The Google Authenticator App for your smart-phone or tablet is the recommended source for verification codes
  • ALWAYS have Backup Codes available
  • If you are completely locked out and need assistance, it could take several days to regain access.
  • Review all frequently encountered issues below. If your issue does not match, please open a GFDL Help Desk ticket.

How to Print out Backup Codes

Go to https://accounts.google.com/b/0/SmsAuthSettings#devices and click “Print of Download” under the Backup Codes section. This is the only quick way to get into your NOAA Google accounts if you are locked out and not receiving a verification code from Google. It is recommended that everyone prints or downloads these codes.

I cannot find the Google Authenticator app on my cell phone

The app is called “Google Authenticator”. Please search for “Google Authenticator” in your app store and read https://support.google.com/accounts/answer/1066447?hl=en for more information.

I want to use multiple Google accounts with my Google Authenticator app

This is possible. Please see https://support.google.com/accounts/answer/1066447?hl=en, Setting up 2-Step Verification for multiple Google Accounts.

I can no longer access or use third party mail client, like Thunderbird, Mac Mail and Outlook.

For Outlook please follow

https://support.google.com/accounts/troubleshooter/3141849#ts=3141812,3187116

For Mac Mail

https://support.google.com/accounts/troubleshooter/3141849#ts=3141880

For Iphone/Ipad Mail

https://support.google.com/accounts/troubleshooter/3141849#ts=3141876

For Windows Phones

https://support.google.com/accounts/troubleshooter/3141849#ts=3184288

For Other Phone Apps

https://support.google.com/accounts/troubleshooter/3141849#ts=3202254

For Thunderbird

http://wiki.gfdl.noaa.gov/index.php/Google#Thunderbird

I have a new cell phone number or a new cell phone

https://support.google.com/accounts/troubleshooter/4430955?hl=en

Phone was lost or stolen

https://support.google.com/accounts/answer/185834?hl=en#phone

My verification codes are not working (Android)

https://support.google.com/accounts/answer/185834?hl=en#sync

I lost my backup codes and/or need to revoke them

https://support.google.com/accounts/answer/185834?hl=en#backupstolen

How do I sign up for 2-SV

Please view the UMS provided documentation at https://sites.google.com/a/noaa.gov/noaa-ums/mail/2sv.

The link to set up 2-step verification is not showing up

https://support.google.com/accounts/answer/185834?hl=en#signin

My phone or computer stopped working after turning on 2-SV

https://support.google.com/accounts/answer/185834?hl=en#ASPs

I did not receive a verification code via text message or phone call

https://support.google.com/accounts/answer/185834?hl=en#nocode

If you still cannot get into your account, please have use a backup code. If you do not have a backup code, please open a GFDL Help Desk ticket.

I received multiple verification codes via SMS or phone

Only the most recent code will work.

Poor cell phone service prevents me from getting SMS message and/or voice call

If cell phone service is an issue please try using the Google Authenticator App. The app can be used when no cell phone or internet service is available. Another fall back is to use a LAN line or to have backup codes readily available when in a no cell reception situation.

Clearing Browser Cache

If you clear your browser cache (as encouraged), you will need to enter a verification code the next time you attempt to log into Google. When logging into Google, you can select to have Google remember this browser and not ask for a verification code for 30 days. If you do clear your cache, this will not work.

Saving Passwords in my Browser

Do NOT do this.

Using other Apps with Google Credentials

Our NEMS accounts also represent our NOAA Google accounts. There is a difference between the access. NEMS is the same username and password as your email (minus the @noaa.gov). NEMS will allow you to log into applications such as HelpDesk, Guest WIFI, Gitlab, etc. This authentication is separate from Google and does NOT need 2-step verification. Only accessing the Google portion of this account demands the need for 2-step verification. Any application that taps into your NOAA email, Google Drive, Google Calendar or any other Google portion of your NOAA account will need a app specific password. Documentation on generating this one time password is available at https://support.google.com/accounts/answer/185833?hl=en