Login to user accounts with login tokens

Login tokens can be used to allow your support staff to log in to end-user mailboxes without knowing the password, so that they can diagnose POP3, IMAP4, Webmail, and SMTP problems.

You can create a login token through the Email section of the Control Panel or through the MAC.

Creating login tokens in the Control Panel

To create a login token in the Control Panel

1. In the Email section of the Control Panel, navigate to the user for whom you want to create a token.
For more information, see "Viewing Email user accounts"

2. Click the user name.

3. From the Actions drop-down list, choose Generate Token.

4. From the Type drop-down list, choose a session type:

  • Normal session—Used to access IMAP, POP, SMTP, and Web Mail via a standard login process; valid until the duration of the token expires.
  • Normal session with Admin—Used to access IMAP, POP, SMTP, and also Webmail, where a domain administrator gets access to the Domain Manager Admin tab.
  • SSO session—Used to create a standard login token for a single sign-on login request, bypassing the login page; becomes invalid after it is used once.
  • SSO session with Admin—Used to create a token that allows a mailbox set as a domain administrator to be logged using single sign-on methodology with access to the Domain Manager Admin tab.
  • Admin-only session—Sign on as administrator.

5. In the Token field, enter the token that you want to use. The token behaves like a password. If this value is not submitted, a random token is generated.

6. In the Reason field, enter the reason that you need to create a token.
We recommend that you enter a problem ticket number, if available.

7. In the Token Durationdrop-down list, choose the number of hours for which the token is valid: 1, 2, 4, 8, or 24 hours.

8. Click Generate Token.

9. Click the generated link, Login to webmail, to open Webmail in a new tab, or use the login token that you specified to authenticate to POP3 or IMAP4.

Creating login tokens in the MAC

To create a login token in the MAC

1. Log in to the Mail Administration Console (MAC).
For more information, see "What is the MAC?"

2. Locate the user that you want to view. For more information, see “Searching in the Mail Administration Console (MAC)”.

3. Click the user name.

4. On the Settings page, expand the Tools & Status section, and click Generate Token.
The Generate Token dialog appears.

5. From the Type drop-down list, choose a session type:

  • Normal session—Used to access IMAP, POP, SMTP, and Web Mail via a standard login process; valid until the duration of the token expires.
  • Normal session with Admin—Used to access IMAP, POP, SMTP, and also Webmail, where a domain administrator gets access to the Domain Manager Admin tab.
  • SSO session—Used to create a standard login token for a single sign-on login request, bypassing the login page; becomes invalid after it is used once.
  • SSO session with Admin—Used to create a token that allows a mailbox set as a domain administrator to be logged using single sign-on methodology with access to the Domain Manager Admin tab.
  • Admin-only session—Sign on as administrator.

6. In the Token field, enter the token that you want to use. The token behaves like a password. If this value is not submitted, a random token is generated.

7. In the Reason field, enter the reason that you need to create a token.
We recommend that you enter a problem ticket number, if available.

8. In the Token Durationdrop-down list, choose the number of hours for which the token is valid: 1, 2, 4, 8, or 24 hours.

9. Click Generate Token.

10. Click the generated link to open Webmail in a new tab, or use the login token that you specified to authenticate to POP3 or IMAP4.

If the token cannot be created, you might see one of the following error messages:

Error messageMeaning
error: user does not existNon-existing or incorrect user account
error: permission deniedDomain not under control of reseller
error: failed to save tokenAdmin email address or password incorrect

Validate password

If a user is not sure whether they have the correct password, you can use this field to validate the password.

To verify the user's password, click Validate Password, enter what the user thinks is their password, and then click Validate. A message appears that lets you know whether the password is correct or incorrect.

Creating login tokens with a URL

The login token can be created by a MAC URL with proper credentials and the email address of the user for whom you are creating the token.

The format of the MAC URL is:

https://admin.<cluster>.hostedemail.com/tools/sso?
admin=admin@domain.com&pass=
adminpassword&user=user@domain.com

 

Options

There are two optional parameters you can use:

  • life
  • locale

life

You can add

&life=seconds

to the end of the URL to indicate the number of seconds for which the token is valid. If not specified, the default expiry time of 24 hours (86400 seconds) is applied.

The maximum life is 31 days (744 hours or 2678400), and any larger value will be capped at 2678400 seconds.

Example:

wget -q -O -"https://admin.<cluster>.hostedemail.com/tools/sso?admin=admin@domain.com&pass=
PASSWORD&user=user@domain.com&life=7200"
returns:
success: token generated<br>
token: [9c31fee7d811695f59f1e3c313642cf3]<br>
expires: [1202349940]<br>

locale

You can add

&locale=<option>

where option= is one of:

  • da (Danish)
  • de (German)
  • el (Greek)
  • en (English)
  • es (Spanish)
  • fr (French)
  • it (Italian)
  • nl (Dutch)
  • no (Norwegian)
  • pt_BR (Brazilian Portuguese)
  • sv (Swedish)

Example:

wget -q -O -"https://admin.<cluster>.hostedemail.com/tools/sso?
admin=admin@domain.com&pass=
PASSWORD&locale=de&user=user@domain.com&life=7200"

returns

success: token generated<br>
token: [9c31fee7d811695f59f1e3c313642cf3]<br>

 

Security

Login token creation works for Mail, Domain, and Company Administrators.

Mail Administrators are the recommended creators, as they have the minimum privileges required for the task.

How to use the login token

Wherever a password would normally be entered, the token can be used instead (that is, to load the Webmail main UI by passing the token for the password field.)

Login tokens can be used for Webmail, POP3,  IMAP4 and SMTP logins.

The only service for which they will not work is SMTP AUTH, as it performs its own encrypted password comparisons.

Login tokens and password change

Implementing login tokens is not compatible with the Password Change option.

Sample URL

The following example sends the user to Standard AJAX Webmail if their browser is supported by the AJAX interface (otherwise, you get the Basic interface, if it is supported).

By using mail.<your_domain>.<tld>, the user is brought to your branded login page when they log out.

https://mail.<your_domain>.<tld>/mail?
type=a&domainID=<your_domain>.<tld>&user=<username>
%40<your_domain>.<tld>&pass=9c31fee7d811695f59f1e3c313642cf3

Note: The '@' sign must be encoded as %40 or else it won't work.

The following optional parameters can also be included:

  • logout_redirect=URL—Sets the logout redirection.
  • direct=1—Suppresses the logo on login.

Note: The logout_redirect parameter can only be used in conjumction with the direct parameter. Otherwise, the URL could be hijacked to direct an end user to another location instead. Logout redirects can be configured via branding as well, without this limitation.

Was this article helpful? 0 out of 0 found this helpful
Have more questions? Submit a request