You have applications (E-Business Suite 11i/R12, Portal, Discoverer, BI Publisher) integrated with Oracle Single sign-On (SSO) and users complain that they receive message ”Your Account is Locked“. Here are few things which can help you in understanding this
First thing to do in case “User account is locked”
You should know how to unlock SSO account. These are various ways using which you can unlock account
1. Using OIDDAS : OIADDAS (Delegated Administrative Services) Login as superuser orcladmin (or Account with access to unlock/Change Password) >> select Directory Tab >> enter User Name >> Select Unlock Account
2. Using ODM : Oracle Directory Manager is java based tool to manage users . More can be found here . Go to User’s entry and on right pane reset user password. (Resetting password will unlock account)
3. Using ldapmodify : add attribute “orclpwdaccountunlock” to user account and set its value to 1 usign ldapmodify.
4. Using Portal: If you are using Oracle Portal with SSO, then reset password using Portal User Account portlet (Resetting password will unlock account)
Where are account locking rules defined
Next thing to identify is that where account lock rules defined
– Account lock rules are defined in Password Policy in OID (Did you know that you can use different password policy at leaf level in OID from 10.1.4.1 OID)
– To check your password policy, login to OIDADMINusing orcladmin and go to
Password Policy Management -> Password Policy for Realm ..<Your Realm Name>.. >> click on Account Lockout tab on right pan
- User Account can be locked only if “Global Lockout” is enabled and user try wrong password for number of times defined in “Password Maximum Failure” within “Password Failure Count Internal”
To understand it, lets assume
A) If ”Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 0, then 10 consecutive wrong password will lock user account.
B) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 20 then 10 consecutive wrong password within 20 seconds will lock user account.
- Another reason for account lock is “Password Expiry Time” defined in Password Policy. User Account can lock after password expiry time.
Account will remain locked for time specified by “Global Lockout Duration” (default is 86400 Sec i.e. 1 day) unless unlocked by Admin.
How to prevent Administrative Accounts getting locked
You can create another password policy (possible only from OID 10.1.4 and higher) with “No Global Lockout” and attach new password policy to administrative accounts.
Finally if your superuser “orcladmin” itself is locked
A) If super user account like “orcladmin” is locked you can unlock it like
oidpasswd [connect=<OID schema database connect string>] unlock_su_acct=true
P.S. There are two orcladmin account one cn=orcladmin and other cn=orcladmin,cn=users, dc= <your domain> (oidpasswd is required to reset password for cn=orcladmin)
B) If ods schema password (this schema holds OID data) is locked then you can unlock this using
SQL> alter user ods account unlock;
C) If for some reason you forgot ods(default password is same as orcladmin or ias_admin) password then you can reset it using metalink note # 472752.1 How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?
How to track Failed Login Attempts
If you are are getting too many accounts locked and you would like to know if these are from users or some one else (hacker)
1. You can track failed login attempts from ias console
Login to iAS Console of SSO server like http://hostname:<em_port>/emd (ias_admin/<passwd>)
Click on “Single Sign-On:orasso”
Check failed logins under “Login Failures During The Last 24 Hours”
2. Use below query to list failed Login attempts in last 7 days including client IP address on your Single Sign-On Server
select USER_NAME||’ – ‘||MESSAGE||’ – ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ – ‘||IP_ADDRESS “Login Failures”
where log_date > (sysdate – 7)
and MESSAGE = ‘Login failed’
order by log_date;
Password Policy in OID/SSO
275104.1 - How To Unlock User Accounts in Portal
251354.1 -OID Superuser Password Locked: How to Unlock the orcladmin Password
204900.1 -What oidpasswd Utility Does and the Objects it Modifies (ODS and ODSCOMMON)
472752.1 -How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?
Related Posts for SSO
- Session Timeout for Oracle Single Sign-On Server
- SSO : How to deal with “Your Account is Locked”
- Integrate Oracle SSO with third party SSO Server
- Change Idle Session timeout ICX Session Timeout session.timeout
- How to audit/list failed/unsuccessful login attempts for Standalone/SSO E-Business Suite 11i/R12
- Readers Question >> What is difference between SSO , OSSO , OAM SSO