User Authentication

[youtube id=pDkNE5N3lxE]

Note: A previous login from the same IP address may no longer bypass computer activation.  Please see [sc:link id=https://releasenotes.docs.salesforce.com/en-us/spring16/release-notes/rn_security_auth_stop_trusting_ip.htm text=”Improved Security for Device Activation”] in the Spring’16 Release Notes.

55 thoughts on “User Authentication”

  1. Hi John,

    When we clicked on Reset Password button on User record which are the fields that was updated except LASTPASSWORDCHANGEDATE.

    May be this question is not relevant with admin certification but if you let me know it will be helpful.

    Thanks

  2. 1. A user profile has login hour restrictions set to Monday through Friday 8:00 AM to 5:00 Pm. It is Tuesday and the user has logged in at 4:30PM and it is now 5:01PM
    Which behavior of the application should the user expect?

    A. The user will be able to continue working and start new sessions.
    B. The user will be logged out and any unsaved work-in-progress will be saved
    C. The user will be able to continue working, but will not be unable to start ay new sessions.
    D. The user will be logged out and any unsaved work-in-progress will be lost

    In my opinion the ans should be C, but many people says D.

    John Could you please confirm which one is right.

  3. Hi John,

    Could you please help me with below query.

    If a org has implemented Single Sign On in Salesforce and if a user has forgot his password then who can reset his password as we know user himself are not able to reset his password.

    Somewhere I found that Salesforce admin can reset there password and somewhere I found the password needs to be reset in the application that is used to verify the identity, such as active directory (AD).

    So which one is the true.

    And if Admin can reset there password then how? Do they have access in AD.

    Thanks

  4. Hi John, a quick question.

    Below is what Network Access setting states.

    “Users logging in to salesforce.com with a browser from trusted networks are allowed to access salesforce.com without having to activate their computers.”

    It does not mention explicitly login with API through trusted IP. Though, it says login with browser. I would appreciate, if you could please clarify the same.

  5. Hi John,

    Based on my understanding I think below points mentioned are true, please let me know if otherwise.

    User’s profile is set with login hours, login IP range and org wide trusted IP ranges are also set by administrator.

    (1) If user is trying to login outside of login hour set in user’s profile, even if the IP address matches with login IP range based on user’s profile and is within the trusted IP range as well, user will be prevented from logging in at all, login will be blocked.

    (2) If user is trying to login within the login hours set in profile, the IP range is within the login IP range but not trusted IP range, then user will require activation to log in.

    (3) If user is trying to login within the login hours set in profile, the IP range is NOT within the login IP range but is trusted IP range, then user’s login will be blocked since IP range does not match with login IP range set in user’s profile.

    Thanks a lot.

    1. Hi Sachin,

      My understanding and answers on your points:

      Point 1: Yes, the login will be denied

      Point 2: If he is not in the trusted IP Range but within Login IP Range, then the user will require activation in the below combinations,
      -> New IP Address, New Browser
      -> New IP Address, Old Browser
      -> Old IP Address, New Browser

      No activation is required when it is: Old IP Address, Old Browser

      Point 3: Yes, Login will be denied if it is not within Login IP Range since it overrides trusted IP Range.

      Regards,
      Prashanth

  6. Would there be a record created in login history if user tries to login outside of profile IP range.

    Wondering if answer is jus D or C & D

    A user reports an error message when attempting to log in. the
    Administrator checks the user’s login history, but no record of the attempted login.
    What could be the reason for this?
    a. The user is attempting to log in with the wrong password
    b. The user is attempting to log in outside of profile login hours
    c. The user is attempting to log in outside of the profile IP login range
    d. The user is attempting to log in with the wrong username

    1. Hi Firstrock,

      I guess if their is no record of the attempted login, then the USERNAME must be wrong because even if the user tries logging in with the correct username but is outside of the profile login range, then atleast the user’s login history would show the error with that username. Clearly it is the case of WRONG USERNAME and i believe the correct answer should be only D

    2. Latest question from the certification –

      A user at Universal container reports an error message when attempting to log in. the administrator checks the user’s login history, but there is no record of the attempted login.
      What could be cause of this issue?
      The user is attempting to log in outside of the profile login range
      The user is attempting to log in outside of the profile IP
      The user is attempting to log in with wrong username
      The user is attempting to log in with wrong password

      Correct answer is c- wrong username

      Guess this might help

  7. For logging in via API even from a trusted network that you’ve successfully logged in from previously, do you still need to enter the security token or can that be bypassed as you’ve previously logged in beforehand (or is that completely superseded due to the new release?)

  8. The permission (profile/permission set) “API Enabled” is required for a user to authenticate via the API.

    Everytime I use dataloader.io at my office I need to add token. Is there away that I won’t be needed to add token after first time access (so no need to for token if I use dataloader.io on another day)?

    1. Is it related to this:

      Modify Session Security Settings-
      Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.

  9. Hi John,

    After i read the comments above and of course watched the video I would like to see if I got it right:

    Scenario 1: I have OWD trusted IP address. User profile A has an IP range restriction that is partially overlap with OWD trusted IP. User Profile B has an IP range restriction within the OWD trusted IP address and lastly user profile C has no IP range restriction.
    User A: log in from IP address that is within the profile range but it not in the OWD trusted IP – could the user login?
    User B: login for the first time within the allowed IP range – would the user get an activation message?
    User A or User B: login outside their profile IP range but within the trusted OWD IP – would they still be able to login?

    Apologies in advance for repetitive questions, i’m a bit slow:)
    Regards,
    Gil

    1. HI Gil,

      Restrictions override trusted IP ranges.

      Trusted IP ranges are org wide, restrictions are set at profile.

      A- yes (but would require activation)
      B-yes can login, don’t believe activation is required (I believe all IPs are considered trusted if restrictions on the profile are enabled – would need to double check the docs on this)
      Outside of allowed profile ip ranges on login- deny login (if restrictions are enabled, then you can’t access the org outside of those ranges)

      Cheers,

      John

  10. If a device is already verified and cookie is stored, if the same device with new IP address is used for login, will the Verification code be asked? ( No trusted range is set)

  11. Which feature restricts a user’s ability to log
    into Salesforce?
    Choose 2 answers:
    A. Trusted IP ranges
    B. Login hours
    C. Login IP ranges
    D. Password policies

      1. b&c – trusted IPs make it easy for a user to login (removes need for computer activation and security token), but does not outright prevent logins.

        Login hours and Login IP Ranges will prevent a user from logging in.

  12. Hi John, in the end while summarizing, shouldn’t that be, “for login hours and login IP ranges, no need to use security token while logging in from API, and no need of computer activation while logging in from Website. Please correct me if I am wrong. Thanks!

    1. For login from a trusted ip – you will not need computer activation or a security token.

      Login hours is evaluated separately and should not impact your login IP address or other behavior (outside of login time).

  13. Just wanted to note that Salesforce now also sends verification codes to mobile phones via SMS. I don’t know if there’s an option to select a preference for email vs. SMS in the user profile.

  14. Hi John,

    I got question on point 1 from Siva’s post on my certification test today.
    I answered accordingly. Of course, I don’t know whether it got recorded correctly or not.

    I passed the exam. Many thanks for the great site.
    It was extremely helpful in preparing for the exam in a short time.
    Even though I have years of experience, exams are a different beast and one needs structured help. You have done a great job with that.

    regards,

  15. John,

    1. If a user whose profile has Login IP Range (say support staff can access only from a certain building), and this user attempts to login from a computer in their corporate office (which is in the Trusted IP Range), will the user-login be successful?

    2. Is there an order by which IP Range check is performed by Salesforce? Say Login IP Range first and Trusted IP Range second, Public IP third and others next? If the first one verification fails, does the verification go to the second step or stop?

    3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?

    Thanks,

    1. Hi Siva,

      1. My understanding is that Login IP ranges will override Trusted IP ranges – e.g. even if the IP Range is trusted, it must also be a login IP range. I haven’t specifically tested this scenario and can’t find a place to confirm this in the documentation, however.

      2. I’m sure there is, but I don’t think it is documented. It shouldn’t matter too much – the preference of feature (as q #1 indicated) should drive behavior.

      3. Yes – a new browser requires new activation. Cookies are browser independent. You can login from one browser, activate, and then immediately login from another browser (as your IP address will allow access).

        1. Sorry I should clarify that point-

          Cookies are browser dependent. However, activations also look at IP addresses.

          Therefore- if you have activated EITHER the current browser OR the current IP address, then you will bypass activation.

          1. Here’s how this would work:

            3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?

            Does accessing Salesforce from Chrome browser require further activation?
            -Yes. If you are accessing SFDC from the same IP as you did from FF, Chrome will be activated. If it is a different IP address, then you must activate Chrome.

            Is this cookie linked to only one browser?
            -Yes

        2. Finally, for 1&2, found documentation. My assumption was correct:

          https://help.salesforce.com/apex/HTViewHelpDoc?id=admin_loginrestrict.htm&language=en

          When users log in to Salesforce, either via the user interface, the API, or a desktop client such as Connect for Outlook, Salesforce for Outlook, Connect Offline, Connect for Office, Connect for Lotus Notes, or the Data Loader, Salesforce confirms that the login is authorized as follows:
          Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied.
          If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a time-based token (which the user may also be prompted to create if it hasn’t already been added to the account) upon logging in.
          If the user has the “Two-Factor Authentication for API Logins” permission and a time-based token has been added to the account, Salesforce returns an error if a time-based token is not used to access the service in place of the standard security token.
          Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed.
          If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from an IP address they have not used to access Salesforce before:
          If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce, and has not cleared the browser cookies.
          If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
          If the user’s login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is blocked.
          Whenever a login is blocked or returns an API login fault, Salesforce must verify the user’s identity:

      1. If a new browser requires new activation, would cookies not be BROWSER DEPENDENT? Browser independent cookie imply that once a cookie is placed in one browser, you can log in from any browser without re-activation.

        Pl. clarify.

        Regards,
        Munira

        1. Ok… My bad. I checked this issue on the Success Community. The following question is similar to the one asked by Siva. Here is the response I got from Gabriel Nitu (Salesforce).

          Orginial Question:

          IP Range QuestionIf I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?

          I can login by activating my computer
          I can login without activating my computer
          I can’t login at all
          I can login with a security token

          Based on my knowlege, the Correct Answer would be the Second one:
          I can login without activating my computer

          Reaons for my answer:

          If I am login in from an IP Range that is already on my Profile range, I do not need computer activation (i.e., no verification code needed).

          @gabriel Nitu – Am I correct?

          Regards,
          Munira

          Response from Gabriel Nitu:

          If I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?

          I can login by activating my computer
          I can login without activating my computer ( an user will never be challenge with the 5 digit verificatio code )
          I can’t login at all
          I can login with a security token
          =====================
          Are salesforce cookies browser dependent or independent?
          For instance, on the first attempt, I login into salesforce using IE. So, a cookies is placed in my browser.
          Next day, I login in again; however, this time, I login from Chrome. Will a new cookie be placed for Chrome?
          Is a cookie tied to a browser? So, everytime if I use a new browser, a new cookies is placed?

          Next day you will be challenged with the verification code only if the IP address is different than the previous one.
          If the IP address is the same, the login will be successful.
          The IE cookies are independent from other browser cookies.

Leave a Reply