Introduction to Accounts & Passwords
All scientific users at GFDL are issued 3 accounts upon initial account creation. This includes a GFDL local Active Directory (AD) account, an R&D HPCS account and a NOAA email account. Each of these are completely separate from the other and are contained within their own domain. NOAA is trending towards a 2-factor authentication architecture. As of right now, only the R&D HPCS domain is fully using 2 factor and contains no passwords. With that account you receive an RSA token.
The GFDL local Active Directory (AD) account is used for accessing GFDL specific hosts/devices and some internal applications such as Service Desk. If you are logging into a GFDL console, without CAC, you are using your AD password. Your AD password needs tor be updated every 60 days.
Your NOAA Email Messaging System (NEMS) password is apart of your NOAA email and Google account. This is controlled by NOAA and not the GFDL IT staff. This password will NEVER be used to access any devices. It is ONLY used for email and authentication into some applications like Help Desk and Wikis. This may help you determine which password to use when. If you are every not sure about which password to use when authenticating into a service or host, try both your GFDL and NOAA account. The usernames should be the same. When changing your GFDL and NOAA passwords, you may choose to set them to be the same for convenience. That password will need to still meet the strength criteria for each domain. The NOAA NEMS passwords, technically, never needs to be changed.
GFDL recently transitioned from OpenLDAP to Active Directory within the GFLD domain (see green bubble below). There are just a couple of applications still using that legacy username and password. If you are not using FTP, you can completely disregard the OpenLDAP account and password.
The RSA token is strictly for the HPC domain. This is used to log into the R&D HPCS Super Computers. NOAA is trending away from passwords and to 2-factor authentication. Below is a diagram to help explain the different domains. Our temporary environment technically includes three completely separate passwords, AD, LDAP and NEMS.
GFDL (Active Directory) Passwords
GFDL Passwords must adhere to the NOAA standard policy:
- Password History – Cannot be last 24 passwords used.
- Maximum password age – 60 days
- Minimum password age – 2 days
- Minimum password length – 12 characters.
- Contains at least one uppercase, one lowercase, one digit, and one non-alphanumeric character
- Does not contain three or more consecutive characters from your account name
- Does not contain any common (dictionary) words that are four or more characters in length
- Does not contain any white space characters (no spaces or tabs)
Changing Your GFDL Active Directory Passwords
When it comes time to change your password, please follow the instructions below in the order listed. Internet access is required. This password change will be reflected on all of your GFDL issued computers. There is no need to change your password on your local machine. For GFDL issued laptops, it is suggested that you connect your device to the wire shortly after changing your password so that it get’s updated and no longer thinks your password will expire.
- Go to https://passwords.gfdl.noaa.gov
- Login with your GFDL Workstation (Active Directory) Username and your GFDL Workstation (Active Directory) password
- Click “Self Service”
- Decide on a password that meets the posted criteria.
- Select “Username (Active Directory)” for the “Select Account(s)” question
- Type in your current password in “Old Password” and the new password you created from step 4.
- Click OK
Changing Email (NEMS) Password
1. Decide on a password that meets the following criteria:
- At least 12 characters in length
- Contains at least one uppercase, one lowercase, one digit, and one non-alphanumeric character
- Does not contain three or more consecutive characters from your account name
- Does not contain any common (dictionary) words that are four or more characters in length
- Does not contain any white space characters (no spaces or tabs)
- Character does not repeat itself more than 6 consecutive times
- Cannot have been used within the past 24 passwords
Linking Legacy LDAP Password
- Login to https://passwords.gfdl.noaa.
gov (Login with your GFDL Active Directory username and password) - Navigate to the Self Service tab (if not already there)
- Click “Link Accounts”
- From there you configure your OpenLDAP account. Username will be your 3 letter initials, Provider/Service = OpenLDAP and Host Name = ildap1.gfdl.noaa.gov.
- Click “Link”
Password Change Notifications
Users will only be notified to change their passwords when they log into their machine with their username and password if it’s less than 15 days until the password expires. This message will occur on all GFDL Macs, Windows and Linux workstations/laptops. Every login after that will inform the user of how many days they have remaining. Email messages will no longer be sent out for password updates. If a user does not log into a GFDL workstation within 15 days of password expiration, they will still be able to login with their current password the next time they try but will be forced to change their password immediately after authenticating.
We are now enforcing a minimum password age of 2 days. This means users cannot change a password until 48 hours after the previous password change.
Password Change Issues
Listed below are several common issues that can occur with password updates. Please find your issue/question and follow the suggested resolutions. If you are still stuck, please enter a help desk ticket at https://helpdesk.gfdl.noaa.gov.
-
It won’t accept my new password
- Please verify that it meets the criteria specified Changing Passwords. If you are not sure that your password meets the criteria, try a new password that confidently does. Please verify that CAPS lock is not on.
-
It won’t accept my old password
- Please verify that you are entering it correctly and that CAPS Lock is not on. If you no longer remember your old GFDL Active Directory password, you may go to https://passwords.gfdl.noaa.gov and select “Reset Password”. Follow the instructions provided. An email with a link to reset your password will be sent to your NOAA email address. If you cannot remember your NOAA email password, please enter a help desk ticket requesting a temporary password.
-
My passwords don’t match but I want them to
- If you have not updated your GFDL AD password in 48 hours, you can follow the steps to update all of your passwords to the same password as long as they match the criteria. If you don’t remember a password, please open a help desk ticket requesting a temporary password for that domain.
-
I changed my AD password within 48 hours but not my NOAA NEMS (email)
- You can change your NOAA NEMS (email) password separately at https://accounts.noaa.gov/. Same criteria applies.
-
Criteria at Googlesync page doesn’t match our instructions
- Thank you for noticing. AD password criteria is more strict than our NOAA NEMS passwords in some ways and vice versa. To provide users instructions that allows them to set the same password for both domains means they both have to meet the most restrictive criteria.
-
Why can’t I change my password again within 48 hours
- This is a very common security policy that we are forced to implement. This cannot be changed.
-
I can’t login to certain applications with my username and password
- Please try using a previous password to gain entry. Some applications such as Cobweb and FTP still use a legacy authentication protocol called LDAP. These applications are being updated to use AD username and passwords. You can update your LDAP password by going to the https://passwords.gfdl.noaa.gov and linking your LDAP account. see Linking LDAP Account documentation.
Google 2-Step Verification
- Do not use a phone number that another NOAA Google user may be using for their verification codes
- Clearing out your web browser cache will result in you needing to provide a verification code at your next login
- The Google Authenticator App for your smart-phone or tablet is the recommended source for verification codes
- ALWAYS have Backup Codes available
- If you are completely locked out and need assistance, it could take several days to regain access.
- Review all frequently encountered issues below. If your issue does not match, please open a GFDL Help Desk ticket.
How to Print out Backup Codes
Go to https://accounts.google.com/b/0/SmsAuthSettings#devices and click “Print of Download” under the Backup Codes section. This is the only quick way to get into your NOAA Google accounts if you are locked out and not receiving a verification code from Google. It is recommended that everyone prints or downloads these codes.
I cannot find the Google Authenticator app on my cell phone
The app is called “Google Authenticator”. Please search for “Google Authenticator” in your app store and read https://support.google.com/accounts/answer/1066447?hl=en for more information.
I want to use multiple Google accounts with my Google Authenticator app
This is possible. Please see https://support.google.com/accounts/answer/1066447?hl=en, Setting up 2-Step Verification for multiple Google Accounts.
I can no longer access or use third party mail client, like Thunderbird, Mac Mail and Outlook.
For Outlook please follow
https://support.google.com/accounts/troubleshooter/3141849#ts=3141812,3187116
For Mac Mail
https://support.google.com/accounts/troubleshooter/3141849#ts=3141880
For Iphone/Ipad Mail
https://support.google.com/accounts/troubleshooter/3141849#ts=3141876
For Windows Phones
https://support.google.com/accounts/troubleshooter/3141849#ts=3184288
For Other Phone Apps
https://support.google.com/accounts/troubleshooter/3141849#ts=3202254
For Thunderbird
http://wiki.gfdl.noaa.gov/index.php/Google#Thunderbird
I have a new cell phone number or a new cell phone
https://support.google.com/accounts/troubleshooter/4430955?hl=en
Phone was lost or stolen
https://support.google.com/accounts/answer/185834?hl=en#phone
My verification codes are not working (Android)
https://support.google.com/accounts/answer/185834?hl=en#sync
I lost my backup codes and/or need to revoke them
https://support.google.com/accounts/answer/185834?hl=en#backupstolen
How do I sign up for 2-SV
Please view the UMS provided documentation at https://sites.google.com/a/noaa.gov/noaa-ums/mail/2sv.
The link to set up 2-step verification is not showing up
https://support.google.com/accounts/answer/185834?hl=en#signin
My phone or computer stopped working after turning on 2-SV
https://support.google.com/accounts/answer/185834?hl=en#ASPs
I did not receive a verification code via text message or phone call
https://support.google.com/accounts/answer/185834?hl=en#nocode
If you still cannot get into your account, please have use a backup code. If you do not have a backup code, please open a GFDL Help Desk ticket.
I received multiple verification codes via SMS or phone
Only the most recent code will work.
Poor cell phone service prevents me from getting SMS message and/or voice call
If cell phone service is an issue please try using the Google Authenticator App. The app can be used when no cell phone or internet service is available. Another fall back is to use a LAN line or to have backup codes readily available when in a no cell reception situation.
Clearing Browser Cache
If you clear your browser cache (as encouraged), you will need to enter a verification code the next time you attempt to log into Google. When logging into Google, you can select to have Google remember this browser and not ask for a verification code for 30 days. If you do clear your cache, this will not work.
Saving Passwords in my Browser
Do NOT do this.