Thursday, August 14, 2008

SSO : How to deal with “Your Account is Locked”

You have applications (E-Business Suite 11i/R12, Portal, Discoverer, BI Publisher) integrated with Oracle Single sign-On (SSO) and users complain that they receive message ”Your Account is Locked“. Here are few things which can help you in understanding this

-

First thing to do in case “User account is locked”
You should know how to unlock SSO account. These are various ways using which you can unlock account
1. Using OIDDAS : OIADDAS (Delegated Administrative Services) Login as superuser orcladmin (or Account with access to unlock/Change Password) >> select Directory Tab >> enter User Name >> Select Unlock Account

2. Using ODM : Oracle Directory Manager is java based tool to manage users . More can be found here . Go to User’s entry and on right pane reset user password. (Resetting password will unlock account)

3. Using ldapmodify : add attribute “orclpwdaccountunlock” to user account and set its value to 1 usign ldapmodify.

4. Using Portal: If you are using Oracle Portal with SSO, then reset password using Portal User Account portlet (Resetting password will unlock account)

-

Where are account locking rules defined
Next thing to identify is that where account lock rules defined
– Account lock rules are defined in Password Policy in OID (Did you know that you can use different password policy at leaf level in OID from 10.1.4.1 OID)
– To check your password policy, login to OIDADMINusing orcladmin and go to
Password Policy Management -> Password Policy for Realm .... >> click on Account Lockout tab on right pan

SSO Account Lock

- User Account can be locked only if “Global Lockout” is enabled and user try wrong password for number of times defined in “Password Maximum Failure” within “Password Failure Count Internal
To understand it, lets assume
A) If ”Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 0, then 10 consecutive wrong password will lock user account.

B) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 20 then 10 consecutive wrong password within 20 seconds will lock user account.

- Another reason for account lock is “Password Expiry Time” defined in Password Policy. User Account can lock after password expiry time.

Note *

Account will remain locked for time specified by “Global Lockout Duration” (default is 86400 Sec i.e. 1 day) unless unlocked by Admin.

-

How to prevent Administrative Accounts getting locked

You can create another password policy (possible only from OID 10.1.4 and higher) with “No Global Lockout” and attach new password policy to administrative accounts.

-
Finally if your superuser “orcladmin” itself is locked
A) If super user account like “orcladmin” is locked you can unlock it like
oidpasswd [connect=] unlock_su_acct=true

P.S. There are two orcladmin account one cn=orcladmin and other cn=orcladmin,cn=users, dc= (oidpasswd is required to reset password for cn=orcladmin)
B) If ods schema password (this schema holds OID data) is locked then you can unlock this using
SQL> alter user ods account unlock;

C) If for some reason you forgot ods(default password is same as orcladmin or ias_admin) password then you can reset it using metalink note # 472752.1 How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

-

How to track Failed Login Attempts

If you are are getting too many accounts locked and you would like to know if these are from users or some one else (hacker)
1. You can track failed login attempts from ias console

Login to iAS Console of SSO server like http://hostname:/emd (ias_admin/)
Click on “Single Sign-On:orasso

Check failed logins under “Login Failures During The Last 24 Hours
2. Use below query to list failed Login attempts in last 7 days including client IP address on your Single Sign-On Server

select USER_NAME||’ - ‘||MESSAGE||’ - ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ - ‘||IP_ADDRESS “Login Failures”
from ORASSO.WWSSO_AUDIT_LOG_TABLE$
where log_date > (sysdate - 7)
and MESSAGE = ‘Login failed’
order by log_date;

-

Related

Password Policy in OID/SSO
275104.1 - How To Unlock User Accounts in Portal
251354.1 -OID Superuser Password Locked: How to Unlock the orcladmin Password
204900.1 -What oidpasswd Utility Does and the Objects it Modifies (ODS and ODSCOMMON)
472752.1 -How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

Posted by at
Subscribe to: Post Comments (Atom)