• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • SSO : How to deal with “Your Account is Locked”

    Posted by "" in "sso" on 2008-05-15

     You have applications (E-Business Suite 11i/R12, Portal, Discoverer, BI Publisher) integrated with Oracle Single sign-On (SSO) and users complain that they receive message “Your Account is Locked“. Here are few things which can help you in understanding this

    First thing to do in case “User account is locked”
    You should know how to unlock SSO account.  These are various ways using which you can unlock account
    1. Using OIDDAS : OIADDAS (Delegated Administrative Services) Login as superuser orcladmin (or Account with access to unlock/Change Password) >> select Directory Tab >> enter User Name >> Select Unlock Account
     

    2. Using ODM : Oracle Directory Manager is java based tool to manage users . More can be found here . Go to User’s entry and on right pane reset user password. (Resetting password will unlock account)
     

    3. Using ldapmodify : add attribute “orclpwdaccountunlock” to user account and set its value to 1 usign ldapmodify.
     

    4. Using Portal: If you are using Oracle Portal with SSO, then reset password using Portal User Account portlet (Resetting password will unlock account)

    Where are account locking rules defined
    Next thing to identify is that where account lock rules defined
    — Account lock rules are defined in Password Policy in OID (Did you know that you can use different password policy at leaf level in OID from 10.1.4.1 OID)
    — To check your password policy, login to OIDADMINusing orcladmin and go to
    Password Policy Management -> Password Policy for Realm ..<Your Realm Name>.. >> click on Account Lockout tab on right pan

    SSO Account Lock

    – User Account can be locked only if “Global Lockout” is enabled and user try wrong password for number of times defined in “Password Maximum Failure” within “Password Failure Count Internal
    To understand it, lets assume
    A) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 0, then 10 consecutive wrong password will lock user account.

    B) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 20 then 10 consecutive wrong password within 20 seconds will lock user account.

    – Another reason for account lock is “Password Expiry Time” defined in Password Policy. User Account can lock after password expiry time.

    Note *

    Account will remain locked for time specified by “Global Lockout Duration” (default is 86400 Sec i.e. 1 day) unless unlocked by Admin.

    -

    How to prevent Administrative Accounts getting locked

    You can create another password policy (possible only from OID 10.1.4 and higher) with “No Global Lockout” and attach new password policy to administrative accounts.


    Finally if your superuser “orcladmin” itself is locked
    A) If super user account like “orcladmin” is locked you can unlock it like
    oidpasswd [connect=<OID schema database connect string>] unlock_su_acct=true

    P.S. There are two orcladmin account one cn=orcladmin and other cn=orcladmin,cn=users, dc= <your domain>  (oidpasswd is required to reset password for cn=orcladmin)
    B) If ods schema password (this schema holds OID data) is locked then you can unlock this using
    SQL> alter user ods account unlock;

    C) If for some reason you forgot ods(default password is same as orcladmin or ias_admin) password then you can reset it using metalink note # 472752.1 How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

    -

    How to track Failed Login Attempts

    If you are are getting too many accounts locked and you would like to know if these are from users or some one else (hacker) 
    1. You can track failed login attempts from ias console

    Login to iAS Console of SSO server like http://hostname:<em_port>/emd (ias_admin/<passwd>)
    Click on “Single Sign-On:orasso

    Check failed logins under “Login Failures During The Last 24 Hours
    2. Use below query to list failed Login attempts in last 7 days including client IP address on your Single Sign-On Server

    select USER_NAME||’ – ‘||MESSAGE||’ – ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ – ‘||IP_ADDRESS “Login Failures”
    from ORASSO.WWSSO_AUDIT_LOG_TABLE$
    where log_date > (sysdate – 7)
    and MESSAGE = ‘Login failed’
    order by log_date;

    – 

    Related

    Password Policy in OID/SSO 
    275104.1 - How To Unlock User Accounts in Portal
    251354.1 -OID Superuser Password Locked: How to Unlock the orcladmin Password
    204900.1 -What oidpasswd Utility Does and the Objects it Modifies (ODS and ODSCOMMON)
    472752.1 -How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

    19 Responses to “SSO : How to deal with “Your Account is Locked””

    1. Syed says:

      Unable to link account. This E-Business Suite user account is marked as a local account.

      Dear Atual I implementing SSO on R12
      Sapreate Node for APplication Server.

      Install AS10g 10.1.4.2 Aplly Required Patches.
      Run Registration Script txkrun.pl $FND_TOP/bin/txkrun.pl -script=SetSSOReg

      Then i check url Getting SSO Login Page. when i use R12 user Ac. I got Below Error.

      Unable to link account. This E-Business Suite user account is marked as a local account.

      Thanks in Adv.

    2. Atul says:

      select USER_NAME, ENCRYPTED_FOUNDATION_PASSWORD, ENCRYPTED_USER_PASSWORD from fnd_user where user_name like ‘&UserName';

      Password should be set either to external or both.

      Check profile option “Application SSO Login Types” at User, Server and Site level

      This seems you had an exisiting E-Business Suite with some users already in. You need to migrate these users into OID using bulkload

      Follow Deployment Scenario 3 (Page 33) : of Guide mentioned at https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf

      This Guide is for 11i with OID but same procedure can be used with R12

      Check Page 69 of above guide to migrate users from Apps to OID

      Other posts which I covered on this topic are

      http://onlineappsdba.com/index.php/2008/04/17/migrate-users-tofrom-oid-and-oracle-apps-11ir12/

      http://onlineappsdba.com/index.php/2007/09/13/25-things-apps-dba-should-know-for-apps-11ir12-integration-with-oidsso

    3. Syed says:

      Unable to link account. This E-Business Suite user account is marked as a local account.

      Dear Atual I implementing SSO on R12
      Sapreate Node for APplication Server.

      Install AS10g 10.1.4.2 Aplly Required Patches.
      Run Registration Script txkrun.pl $FND_TOP/bin/txkrun.pl -script=SetSSOReg

      Then i check url Getting SSO Login Page. when i use R12 user Ac. I got Below Error.

      Unable to link account. This E-Business Suite user account is marked as a local account.

      Thanks in Adv.

    4. mehmood says:

      We have got one problem, one of our user got removed from SSO, but we have no clue who did this, and how it was done, in this scenario how can you find / debug this issue??

      regards

    5. Atul says:

      Mehmood,

      You need to enable auditing on ldap server (OID for SSO) to find out such cases in future.

      1. Select audit for “delete” event in OID to record delete in OID
      In OID Manager (oidadmin), expand Oracle Internet Directory Servers and select the directory server instance.
      In the right pane, select the Audit Mask Levels tab page. This tab page lists the auditable events. Select
      check box against “Delete” and click Apply

      2. To search delete events in future
      In OID Manager (oiddadmin), expand Oracle Internet Directory Servers and directory server instance.
      Select Audit Log Management. In right pane search based on time

      For full details check oracle guide here

    6. Peter Le says:

      How do I know if I am using Oracle Portal?
      I am using Oracle eBiz and this is the url that I use “http://hostname:port/oa_servlets/AppsLogin” this take to my sso login page. Our user is authenticate with Active Directory thru OID. The seting for your #4 does not work for me. Can you please help?

    7. Atul Kumar says:

      Peter,
      Is password stored in OID as well (apart from AD) ?

      or

      its only in AD and you use OID-AD authentication plugin to authentication

      If its later then you can reset password only in AD else use OIDDAS screen

    8. Peter Le says:

      OID only store user info but no password. We want to lock the user with “EXTERNAL” password after # of fail attemp. What do I need to do in OID?

    9. srihari rao says:

      hi atul…

      Iam really appriciate with your website …
      I got much knoledge for apps fm your blogs..
      wne I run bellow query i will reporting some errors

      select USER_NAME||’ – ‘||MESSAGE||’ – ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ – ‘||IP_ADDRESS “Login Failures”
      from ORASSO.WWSSO_AUDIT_LOG_TABLE$
      where log_date > (sysdate – 7)
      and MESSAGE = ‘Login failed’
      order by log_date
      /

      from ORASSO.WWSSO_AUDIT_LOG_TABLE$
      *
      ERROR at line 2:
      ORA-00942: table or view does not exist

      pl let me know how to aviliable above table and run this script completly…

      My inveronment is 11.5.10.2 db 9.2.0.6 on linux…

      Tks

      Srihari …

    10. Atul Kumar says:

      @Srihari
      ORASSO schema is under OID/SSO database and applicable only if your 11i (apps) is integrated with OID/SSO

    11. rzilist says:

      Hi Atul,
      Nice article! Do you, by any chance, know how would I notify user and an Admin via email that the account has been locked?
      Thanx Roman

    12. mohammedosmanali@gmail.com says:

      I am working as Oracle Apps DBA, I want to know how to unlock an user account, if the user complains on Lock, Please tell me the procedure to unlock the account from back-end or from sysadmin GUI Based.

    13. Mahendra says:

      I faced same issue today and this helped me..Good one Atul. Thanks..

    14. sandy says:

      We are using OAM 10g and OVD 11g and OID 11g.
      We have a requirement to lock the user account after 5 unsuccessful attempts for 30 minutes once its locked and should be unlocked automatically after 30 minutes. I have created the password policy in OAM and which is updating the “ob” attributes in OID.
      Issue we have is, In OAM password policy we can give minimum 1 hour of account lock duration and in OID I can give 30 minutes as lockout time. How can I set account lock duration in OAM as 30 minutes?

    15. Zeh says:

      Hi Atul,

      I’m trying to control and show to the user his bind attempts, but im doing this by checking the audit_log_table. The problem is that i have to control this in a cicle of 24 hours.
      Is there a way to query for this value on OID tables to know how many attempts user still have?

      Having a way to query for this value will work a lot better than just querying on audit_log_table. Since is the value of attempts on OID.

      Thanks. Zeh

    16. Sudipto says:

      Hi – Nice article. Do you know of a way in which we can programmatically lock the user account .
      Details here – https://forums.oracle.com/forums/thread.jspa?threadID=2465724&tstart=0

    17. mark says:

      Hi. I wonder if you can help me to point in the right direction. I implemented SSO , OID, OAM with R11. Now I’m trying to integrate it with WNA to allow unchallenged access to EBS. We used MS AD as identity store and samaccountname is not the same as user_name in FND_USER and we don’t have orclguid field in AD. May be you can advise how to integrate AD, OID. Or OID is supposed to be an integral part of any SSO implementation.

      Thanks

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP