diff --git a/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
index a14e08780..09d9709ec 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
@@ -25,11 +25,10 @@
                 <All url="/system_groupmanager.php*" visibility="hidden"/>
                 <Privileges url="/system_groupmanager_addprivs.php*" visibility="hidden"/>
             </Groups>
-            <Settings order="30" url="/system_usermanager_settings.php"/>
-            <Servers order="40" url="/system_authservers.php">
+            <Servers order="30" url="/system_authservers.php">
                 <Edit url="/system_authservers.php*" visibility="hidden"/>
             </Servers>
-            <Tester order="50" url="/diag_authentication.php"/>
+            <Tester order="40" url="/diag_authentication.php"/>
         </Access>
         <Configuration cssClass="fa fa-history fa-fw">
             <Backups url="/diag_backup.php"/>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
index 5b5d7f9e0..6c9ef732e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@@ -632,6 +632,7 @@
         <name>System: Authentication Servers</name>
         <patterns>
             <pattern>system_authservers.php*</pattern>
+            <pattern>system_usermanager_settings_ldapacpicker.php*</pattern>
         </patterns>
     </page-system-authservers>
     <page-system-camanager>
@@ -733,12 +734,6 @@
             <pattern>system_usermanager_addprivs.php?user*</pattern>
         </patterns>
     </page-system-usermanager-addprivs>
-    <page-system-usermanager-settings>
-        <name>System: User Manager: settings</name>
-        <patterns>
-            <pattern>system_usermanager_settings.php*</pattern>
-        </patterns>
-    </page-system-usermanager-settings>
     <page-system-usermanager-settings-testldap>
         <name>System: User Manager: Settings: Test LDAP</name>
         <patterns>
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 94e5ee1af..82101bf13 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -5,6 +5,7 @@
  * Copyright (C) 2014-2015 Deciso B.V.
  * Copyright (C) 2005-2010 Scott Ullrich <sullrich@gmail.com>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * Copyright (C) 2007 Bill Marquette <bill.marquette@gmail.com>
  * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
  * All rights reserved.
  *
@@ -36,10 +37,20 @@ require_once("system.inc");
 require_once("services.inc");
 
 $a_group = &config_read_array('system', 'group');
+$a_authmode = auth_get_authserver_list();
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
+    foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
+        'password_policy_complexity', 'password_policy_length') as $fieldname) {
+        if (!empty($config['system']['webgui'][$fieldname])) {
+            $pconfig[$fieldname] = $config['system']['webgui'][$fieldname];
+        } else {
+            $pconfig[$fieldname] = null;
+        }
+    }
     $pconfig['webguiinterfaces'] = !empty($config['system']['webgui']['interfaces']) ? explode(',', $config['system']['webgui']['interfaces']) : array();
+    $pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
     $pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
     $pconfig['webguiport'] = $config['system']['webgui']['port'];
     $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
@@ -90,6 +101,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = gettext('You must specify a valid SSH port number.');
     }
 
+    if (!empty($pconfig['session_timeout']) && (!is_numeric($pconfig['session_timeout']) || $pconfig['session_timeout'] <= 0)) {
+        $input_errors[] = gettext('Session timeout must be an integer value.');
+    }
+
+    if (!empty($pconfig['authmode'])) {
+        foreach ($pconfig['authmode'] as $auth_mode) {
+            if (!isset($a_authmode[$auth_mode])) {
+                $input_errors[] = sprintf(gettext('Authentication server "%s" is invalid.'), $auth_mode);
+            }
+        }
+    }
+
     if (count($input_errors) == 0) {
         $newinterfaces = !empty($pconfig['webguiinterfaces']) ? implode(',', $pconfig['webguiinterfaces']) : '';
         $newciphers = !empty($pconfig['ssl-ciphers']) ? implode(':', $pconfig['ssl-ciphers']) : '';
@@ -187,6 +210,21 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['webgui']['althostnames']);
         }
 
+        foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
+           'password_policy_complexity', 'password_policy_length') as $fieldname) {
+            if (!empty($pconfig[$fieldname])) {
+                $config['system']['webgui'][$fieldname] = $pconfig[$fieldname];
+            } elseif (isset($config['system']['webgui'][$fieldname])) {
+                unset($config['system']['webgui'][$fieldname]);
+            }
+        }
+
+        if (!empty($pconfig['authmode'])) {
+            $config['system']['webgui']['authmode'] = implode(',', $pconfig['authmode']);
+        } elseif (isset($config['system']['webgui']['authmode'])) {
+            unset($config['system']['webgui']['authmode']);
+        }
+
         /* always store setting to prevent installer auto-start */
         $config['system']['ssh']['noauto'] = 1;
 
@@ -367,6 +405,25 @@ $(document).ready(function() {
   });
 </script>
 
+<style>
+    .password_policy_constraints {
+        display:none;
+    }
+</style>
+
+<script>
+    $(document).ready(function() {
+        $("#enable_password_policy_constraints").change(function(){
+            if ($("#enable_password_policy_constraints").prop('checked')) {
+                $(".password_policy_constraints").show();
+            } else {
+                $(".password_policy_constraints").hide();
+            }
+        });
+        $("#enable_password_policy_constraints").change();
+    });
+</script>
+
 <section class="page-content-main">
   <div class="container-fluid">
     <div class="row">
@@ -652,7 +709,7 @@ $(document).ready(function() {
           <div class="content-box tab-content table-responsive __mb">
             <table class="table table-striped opnsense_standard_table_form">
               <tr>
-                <td style="width:22%"><strong><?= gettext('Console Options') ?></strong></td>
+                <td style="width:22%"><strong><?= gettext('Console') ?></strong></td>
                 <td style="width:78%"></td>
               </tr>
               <tr>
@@ -736,6 +793,93 @@ $(document).ready(function() {
               </tr>
             </table>
           </div>
+          <div class="content-box tab-content table-responsive __mb">
+            <table class="table table-striped opnsense_standard_table_form">
+              <tr>
+                <td style="width:22%"><strong><?= gettext('Authentication') ?></strong></td>
+                <td style="width:78%"></td>
+              </tr>
+              <tr>
+                <td><a id="help_for_authmode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Server') ?></td>
+                <td>
+                  <select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
+<?php
+                  foreach ($a_authmode as $auth_key => $auth_server): ?>
+                    <option value="<?= html_safe($auth_key) ?>" <?= in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
+                      <?= html_safe($auth_server['name']) ?>
+                    </option>
+<?php
+                  endforeach ?>
+                  </select>
+                  <div class="hidden" data-for="help_for_authmode">
+                    <?= gettext('Select one or more authentication servers to validate user credentials against. ' .
+                        'Multiple servers can make sense with remote authentication methods to provide a fallback ' .
+                        'during connectivity issues. When nothing is specified the default of "Local Database" is used.') ?>
+                  </div>
+                </td>
+              </tr>
+              <tr>
+                <td><a id="help_for_session_timeout" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Timeout') ?></td>
+                <td>
+                  <input class="form-control" name="session_timeout" id="session_timeout" type="text" placeholder="240" value="<?=$pconfig['session_timeout'];?>" />
+                  <div class="hidden" data-for="help_for_session_timeout">
+                    <?= gettext('Time in minutes to expire idle management sessions. The default is 4 hours (240 minutes).') ?>
+                  </div>
+                </td>
+              </tr>
+              <tr>
+                <td><a id="help_for_enable_password_policy_constraints" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Policy'); ?></td>
+                <td>
+                  <input id="enable_password_policy_constraints" name="enable_password_policy_constraints" type="checkbox"  <?= empty($pconfig['enable_password_policy_constraints']) ? '' : 'checked="checked"';?> />
+                  <?= gettext('Enable password policy constraints') ?>
+                  <div class="hidden" data-for="help_for_enable_password_policy_constraints">
+                    <?= gettext('Use hardened security policies for local accounts. Methods other than local these will usually be configured by the respective provider (e.g. LDAP, RADIUS, ...).');?>
+                  </div>
+                </td>
+              </tr>
+              <tr class="password_policy_constraints">
+              <td><a id="help_for_password_policy_duration" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Duration'); ?></td>
+                  <td>
+                      <select id="password_policy_duration" name="password_policy_duration" class="selectpicker" data-style="btn-default">
+                          <option <?=empty($pconfig['password_policy_duration']) ? "selected=\"selected\"" : "";?> value="0"><?=gettext("Disable");?></option>
+                          <option <?=$pconfig['password_policy_duration'] == '30' ? "selected=\"selected\"" : "";?> value="30"><?=sprintf(gettext("%d days"), "30");?></option>
+                          <option <?=$pconfig['password_policy_duration'] == '90' ? "selected=\"selected\"" : "";?> value="90"><?=sprintf(gettext("%d days"), "90");?></option>
+                          <option <?=$pconfig['password_policy_duration'] == '180' ? "selected=\"selected\"" : "";?> value="180"><?=sprintf(gettext("%d days"), "180");?></option>
+                          <option <?=$pconfig['password_policy_duration'] == '360' ? "selected=\"selected\"" : "";?> value="360"><?=sprintf(gettext("%d days"), "360");?></option>
+                      </select>
+                      <div class="hidden" data-for="help_for_password_policy_duration">
+                        <?= gettext("Password duration settings, the interval in days in which passwords stay valid. ".
+                                    "When reached, the user will be forced to change his or her password before continuing.");?>
+                      </div>
+                  </td>
+              </tr>
+              <tr class="password_policy_constraints">
+                  <td><a id="help_for_password_policy_length" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Length'); ?></td>
+                  <td>
+                      <select id="password_policy_length" name="password_policy_length" class="selectpicker" data-style="btn-default">
+                          <option <?=empty($pconfig['password_policy_length'])  || $pconfig['password_policy_length'] == '8' ? "selected=\"selected\"" : "";?> value="8">8</option>
+                          <option <?=$pconfig['password_policy_length'] == '10' ? "selected=\"selected\"" : "";?> value="10">10</option>
+                          <option <?=$pconfig['password_policy_length'] == '12' ? "selected=\"selected\"" : "";?> value="12">12</option>
+                          <option <?=$pconfig['password_policy_length'] == '14' ? "selected=\"selected\"" : "";?> value="14">14</option>
+                          <option <?=$pconfig['password_policy_length'] == '16' ? "selected=\"selected\"" : "";?> value="16">16</option>
+                      </select>
+                      <div class="hidden" data-for="help_for_password_policy_length">
+                        <?= gettext("Sets the minimum length for a password");?>
+                      </div>
+                  </td>
+              </tr>
+              <tr class="password_policy_constraints">
+                <td><a id="help_for_password_policy_complexity" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Complexity'); ?></td>
+                <td>
+                  <input id="password_policy_complexity" name="password_policy_complexity" type="checkbox"  <?= empty($pconfig['password_policy_complexity']) ? '' : 'checked="checked"';?> />
+                  <?= gettext('Enable complexity requirements') ?>
+                  <div class="hidden" data-for="help_for_password_policy_complexity">
+                    <?= gettext("Require passwords to meet complexity rules");?>
+                  </div>
+                </td>
+              </tr>
+            </table>
+          </div>
           <div class="content-box tab-content table-responsive">
             <table class="table table-striped opnsense_standard_table_form">
               <tr>
diff --git a/src/www/system_usermanager_settings.php b/src/www/system_usermanager_settings.php
index 86df309a2..e89a53979 100644
--- a/src/www/system_usermanager_settings.php
+++ b/src/www/system_usermanager_settings.php
@@ -31,52 +31,14 @@
 require_once("guiconfig.inc");
 
 $save_and_test = false;
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    $pconfig = array();
-    foreach (array('session_timeout', 'password_policy_duration',
-                   'enable_password_policy_constraints',
-                   'password_policy_complexity', 'password_policy_length') as $fieldname) {
-        if (!empty($config['system']['webgui'][$fieldname])) {
-            $pconfig[$fieldname] = $config['system']['webgui'][$fieldname];
-        } else {
-            $pconfig[$fieldname] = null;
-        }
-    }
-    $pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $pconfig = $_POST;
-    $input_errors = array();
-    if (!empty($pconfig['session_timeout']) && (!is_numeric($pconfig['session_timeout']) || $pconfig['session_timeout'] <= 0)) {
-        $input_errors[] = gettext("Session timeout must be an integer value.");
-    }
 
-    if (count($input_errors) == 0) {
-        $authsrv = auth_get_authserver($pconfig['authmode']);
-        if (!empty($pconfig['savetest'])) {
-            # XXX this needs repairing...
-            if ($authsrv['type'] == "ldap") {
-                $save_and_test = true;
-            } else {
-                $savemsg = gettext("The test was not performed because it is supported only for ldap based backends.");
-            }
-        }
-
-        foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
-                       'password_policy_complexity', 'password_policy_length') as $fieldname) {
-            if (!empty($pconfig[$fieldname])) {
-                $config['system']['webgui'][$fieldname] = $pconfig[$fieldname];
-            } elseif (isset($config['system']['webgui'][$fieldname])) {
-                unset($config['system']['webgui'][$fieldname]);
-            }
-        }
-
-        if (!empty($pconfig['authmode'])) {
-            $config['system']['webgui']['authmode'] = implode(',', $pconfig['authmode']);
-        } elseif (isset($config['system']['webgui']['authmode'])) {
-            unset($config['system']['webgui']['authmode']);
-        }
-
-        write_config();
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    # XXX this needs repairing, can also be a list
+    $authsrv = auth_get_authserver($config['system']['webgui']['authmode']);
+    if ($authsrv['type'] == 'ldap') {
+        $save_and_test = true;
+    } else {
+        $savemsg = gettext('The test was not performed because it is supported only for LDAP-based backends.');
     }
 }
 
@@ -86,24 +48,6 @@ include("head.inc");
 ?>
 <body>
 
-<style>
-    .password_policy_constraints {
-        display:none;
-    }
-</style>
-<script>
-    $(document).ready(function() {
-        $("#enable_password_policy_constraints").change(function(){
-            if ($("#enable_password_policy_constraints").prop('checked')) {
-                $(".password_policy_constraints").show();
-            } else {
-                $(".password_policy_constraints").hide();
-            }
-        });
-        $("#enable_password_policy_constraints").change();
-    });
-
-</script>
 <?php
 if ($save_and_test):?>
 <script>
@@ -117,104 +61,15 @@ endif;?>
     <div class="container-fluid">
       <div class="row">
 <?php
-      if (isset($input_errors) && count($input_errors) > 0) {
-        print_input_errors($input_errors);
-      }
       if (isset($savemsg)) {
         print_info_box($savemsg);
       }
 ?>
         <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12 table-responsive">
-            <form method="post">
-              <table class="table table-striped opnsense_standard_table_form">
-                <tr>
-                  <td style="width:22%"><a id="help_for_session_timeout" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Session Timeout"); ?></td>
-                  <td style="width:78%">
-                    <input class="form-control" name="session_timeout" id="session_timeout" type="text" size="8" value="<?=$pconfig['session_timeout'];?>" />
-                    <div class="hidden" data-for="help_for_session_timeout">
-                      <?=gettext("Time in minutes to expire idle management sessions. The default is 4 hours (240 minutes).");?><br />
-                      <?=gettext("Enter 0 to never expire sessions. NOTE: This is a security risk!");?><br />
-                    </div>
-                  </td>
-                </tr>
-                <tr>
-                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Authentication Server"); ?></td>
-                  <td>
-                      <select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
-<?php
-                      foreach (auth_get_authserver_list() as $auth_key => $auth_server) :?>
-                        <option value="<?= $auth_key ?>" <?= in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
-                          <?=htmlspecialchars($auth_server['name']);?>
-                        </option>
-<?php
-                      endforeach; ?>
-                      </select>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_enable_password_policy_constraints" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Policy'); ?></td>
-                    <td>
-                      <input id="enable_password_policy_constraints" name="enable_password_policy_constraints" type="checkbox"  <?= empty($pconfig['enable_password_policy_constraints']) ? '' : 'checked="checked"';?> />
-                      <strong><?= gettext('Enable password policy constraints') ?></strong>
-                      <div class="hidden" data-for="help_for_enable_password_policy_constraints">
-                        <?= gettext("Harden security on local accounts, for methods other then local these will usually be configured on the " .
-                                            "respective provider (e.g. ldap/radius/..). ");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="password_policy_constraints">
-                      <td><a id="help_for_password_policy_duration" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Duration'); ?></td>
-                      <td>
-                          <select id="password_policy_duration" name="password_policy_duration" class="selectpicker" data-style="btn-default">
-                              <option <?=empty($pconfig['password_policy_duration']) ? "selected=\"selected\"" : "";?> value="0"><?=gettext("Disable");?></option>
-                              <option <?=$pconfig['password_policy_duration'] == '30' ? "selected=\"selected\"" : "";?> value="30"><?=sprintf(gettext("%d days"), "30");?></option>
-                              <option <?=$pconfig['password_policy_duration'] == '90' ? "selected=\"selected\"" : "";?> value="90"><?=sprintf(gettext("%d days"), "90");?></option>
-                              <option <?=$pconfig['password_policy_duration'] == '180' ? "selected=\"selected\"" : "";?> value="180"><?=sprintf(gettext("%d days"), "180");?></option>
-                              <option <?=$pconfig['password_policy_duration'] == '360' ? "selected=\"selected\"" : "";?> value="360"><?=sprintf(gettext("%d days"), "360");?></option>
-                          </select>
-                          <div class="hidden" data-for="help_for_password_policy_duration">
-                            <?= gettext("Password duration settings, the interval in days in which passwords stay valid. ".
-                                        "When reached, the user will be forced to change his or her password before continuing.");?>
-                          </div>
-                      </td>
-                  </tr>
-                  <tr class="password_policy_constraints">
-                      <td><a id="help_for_password_policy_length" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Length'); ?></td>
-                      <td>
-                          <select id="password_policy_length" name="password_policy_length" class="selectpicker" data-style="btn-default">
-                              <option <?=empty($pconfig['password_policy_length'])  || $pconfig['password_policy_length'] == '8' ? "selected=\"selected\"" : "";?> value="8">8</option>
-                              <option <?=$pconfig['password_policy_length'] == '10' ? "selected=\"selected\"" : "";?> value="10">10</option>
-                              <option <?=$pconfig['password_policy_length'] == '12' ? "selected=\"selected\"" : "";?> value="12">12</option>
-                              <option <?=$pconfig['password_policy_length'] == '14' ? "selected=\"selected\"" : "";?> value="14">14</option>
-                              <option <?=$pconfig['password_policy_length'] == '16' ? "selected=\"selected\"" : "";?> value="16">16</option>
-                          </select>
-                          <div class="hidden" data-for="help_for_password_policy_length">
-                            <?= gettext("Sets the minimum length for a password");?>
-                          </div>
-                      </td>
-                  </tr>
-                  <tr class="password_policy_constraints">
-                    <td><a id="help_for_password_policy_complexity" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Complexity'); ?></td>
-                    <td>
-                      <input id="password_policy_complexity" name="password_policy_complexity" type="checkbox"  <?= empty($pconfig['password_policy_complexity']) ? '' : 'checked="checked"';?> />
-                      <strong><?= gettext('Enable complexity requirements') ?></strong>
-                      <div class="hidden" data-for="help_for_password_policy_complexity">
-                        <?= gettext("Require passwords to meet complexity rules");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td></td>
-                    <td>
-                      <input name="save" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
-                      <input name="savetest" type="submit" class="btn btn-default" value="<?=gettext("Save and Test");?>" />
-                    </td>
-                  </tr>
-                </table>
-              </form>
-            </div>
-          </section>
+          <form method="post">
+            <button type="submit" class="btn btn-default">Start LDAP Test</button>
+          </form>
+        </section>
       </div>
     </div>
   </section>