Configuring your system for login notifications

Venafi Platform ships with two default email notifications for login security. These notifications help secure your environment by alerting users to successful login attempts from unknown IP addresses, as well as all unsuccessful login attempts. These notifications are enabled by default.

Each of these notifications is described below, followed by important configuration information if you are using a load balancer.

Login failure notification

It is important that users be alerted any time an attempt to log in fails in case somebody is trying to break into their account. This notification will trigger anytime a user attempts to log in to Venafi Platform but the login attempt fails. This may be due to an incorrect password, or another authentication issue.

This notification goes to the user whose login was used in the login attempt, and includes the IP address of the user attempting to log in.

The notification rule in Policy Tree is called Login Failure.

The channel template in WinAdmin is called Email to Owner - Login Failure.

The subject of the email is "ACCOUNT LOGIN EVENT".

Successful login from unknown IP address notification

Sometimes you want users to be notified anytime a login happens from an unknown IP address. This notification triggers anytime a user successfully logs in to Venafi Platform from an unknown location (as determined by IP address). This notification goes to the user who successfully logged in, and includes information about the login, including the IP address of the user who successfully logged in. This notification is important because it helps users monitor logins from remote locations. If a user doesn't recognize a location, their account information may be compromised.

IP history is stored with each user's preferences, so if users clear their preferences (User menuMy Account > Reset Settings & Preferences), their location history will also be reset.

The notification rule in Policy Tree is called Login Successful from Unknown Source.

The channel template in WinAdmin is called Email to Owner - Login Successful.

The subject of the email is "ACCOUNT LOGIN EVENT".

Showing the correct IP address when using a load balancer to show the correct IP address

If you are using a load balancer, you need to configure the load balancer to log the X-Forwarded-For header. If the load balancer is not configured correctly, these notification will show the IP address of the load balancer. This is especially important for the successful login notification, because without the X-Forwarded-For header on the load balancer, the notification is essentially meaningless, since all requests will appear to be coming from the load balancer.

Logging the X-Forwarded-For header provides better security logs for web activity that comes through a load balancer, and will help you troubleshoot your load balancer. (If you are not sure if your load balancer is properly configured to send the X-Forwarded-For header, you can check your IIS logs on your Venafi server.)

This is done in two steps: 1. Configure your load balancer to pass the client IP address in the X-Forwarded-For header; and 2. Configure your Venafi Server IIS settings to log the X-Forwarded-For header.

To configure your load balancer

  • Check your load balancer vendor documentation for specific steps on configuring the X-Forwarded-For header.

You can read reference information about the X-Forwarded-For header on MDN Web Docs.

To configure your Venafi server's IIS settings to log the X-Forwarded-For header

  1. Connect to your remote Venafi Server, and open Internet Information Services (IIS) Manager.

  2. In the Connections panel, expand Sites, and click Venafi.

  3. In the IIS group, double-click Logging.

  4. Under the Log File section, click the Select Fields button next to the Format: W3C dropdown.

  5. Click Add Field...

  6. Set the following values:

    Field Value
    Field Name X-FORWARDED-FOR
    Source Type Request Header
    Source X-FORWARDED-FOR

  7. Click OK to close the Edit Custom Field window.

  8. Click OK to close the W3C Logging Fields window.

  9. Restart IIS to ensure settings take effect.

When IIS restarts, the correct IP addresses will appear in the login notification email messages for all users in your organization, and will be logged on the Venafi server.