SSO : How to deal with “Your Account is Locked”

 You have applications (E-Business Suite 11i/R12, Portal, Discoverer, BI Publisher) integrated with Oracle Single sign-On (SSO) and users complain that they receive message “Your Account is Locked“. Here are few things which can help you in understanding this

First thing to do in case “User account is locked”
You should know how to unlock SSO account.  These are various ways using which you can unlock account
1. Using OIDDAS : OIADDAS (Delegated Administrative Services) Login as superuser orcladmin (or Account with access to unlock/Change Password) >> select Directory Tab >> enter User Name >> Select Unlock Account
 

2. Using ODM : Oracle Directory Manager is java based tool to manage users . More can be found here . Go to User’s entry and on right pane reset user password. (Resetting password will unlock account)
 

3. Using ldapmodify : add attribute “orclpwdaccountunlock” to user account and set its value to 1 usign ldapmodify.
 

4. Using Portal: If you are using Oracle Portal with SSO, then reset password using Portal User Account portlet (Resetting password will unlock account)

Where are account locking rules defined
Next thing to identify is that where account lock rules defined
— Account lock rules are defined in Password Policy in OID (Did you know that you can use different password policy at leaf level in OID from 10.1.4.1 OID)
— To check your password policy, login to OIDADMINusing orcladmin and go to
Password Policy Management -> Password Policy for Realm ..<Your Realm Name>.. >> click on Account Lockout tab on right pan

SSO Account Lock

– User Account can be locked only if “Global Lockout” is enabled and user try wrong password for number of times defined in “Password Maximum Failure” within “Password Failure Count Internal
To understand it, lets assume
A) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 0, then 10 consecutive wrong password will lock user account.

B) If “Password Maximum Failure” set to 10 and “Password Failure Count Internal” set to 20 then 10 consecutive wrong password within 20 seconds will lock user account.

– Another reason for account lock is “Password Expiry Time” defined in Password Policy. User Account can lock after password expiry time.

Note *

Account will remain locked for time specified by “Global Lockout Duration” (default is 86400 Sec i.e. 1 day) unless unlocked by Admin.

How to prevent Administrative Accounts getting locked

You can create another password policy (possible only from OID 10.1.4 and higher) with “No Global Lockout” and attach new password policy to administrative accounts.


Finally if your superuser “orcladmin” itself is locked
A) If super user account like “orcladmin” is locked you can unlock it like
oidpasswd [connect=<OID schema database connect string>] unlock_su_acct=true

P.S. There are two orcladmin account one cn=orcladmin and other cn=orcladmin,cn=users, dc= <your domain>  (oidpasswd is required to reset password for cn=orcladmin)
B) If ods schema password (this schema holds OID data) is locked then you can unlock this using
SQL> alter user ods account unlock;

C) If for some reason you forgot ods(default password is same as orcladmin or ias_admin) password then you can reset it using metalink note # 472752.1 How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

How to track Failed Login Attempts

If you are are getting too many accounts locked and you would like to know if these are from users or some one else (hacker) 
1. You can track failed login attempts from ias console

Login to iAS Console of SSO server like http://hostname:<em_port>/emd (ias_admin/<passwd>)
Click on “Single Sign-On:orasso

Check failed logins under “Login Failures During The Last 24 Hours
2. Use below query to list failed Login attempts in last 7 days including client IP address on your Single Sign-On Server

select USER_NAME||’ – ‘||MESSAGE||’ – ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ – ‘||IP_ADDRESS “Login Failures”
from ORASSO.WWSSO_AUDIT_LOG_TABLE$
where log_date > (sysdate – 7)
and MESSAGE = ‘Login failed’
order by log_date;

– 

Related

Password Policy in OID/SSO 
275104.1 – How To Unlock User Accounts in Portal
251354.1 –OID Superuser Password Locked: How to Unlock the orcladmin Password
204900.1 –What oidpasswd Utility Does and the Objects it Modifies (ODS and ODSCOMMON)
472752.1 –How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten ?

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

19 comments
Syed says July 14, 2008

Unable to link account. This E-Business Suite user account is marked as a local account.

Dear Atual I implementing SSO on R12
Sapreate Node for APplication Server.

Install AS10g 10.1.4.2 Aplly Required Patches.
Run Registration Script txkrun.pl $FND_TOP/bin/txkrun.pl -script=SetSSOReg

Then i check url Getting SSO Login Page. when i use R12 user Ac. I got Below Error.

Unable to link account. This E-Business Suite user account is marked as a local account.

Thanks in Adv.

Reply
Atul says July 14, 2008

select USER_NAME, ENCRYPTED_FOUNDATION_PASSWORD, ENCRYPTED_USER_PASSWORD from fnd_user where user_name like ‘&UserName’;

Password should be set either to external or both.

Check profile option “Application SSO Login Types” at User, Server and Site level

This seems you had an exisiting E-Business Suite with some users already in. You need to migrate these users into OID using bulkload

Follow Deployment Scenario 3 (Page 33) : of Guide mentioned at https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf

This Guide is for 11i with OID but same procedure can be used with R12

Check Page 69 of above guide to migrate users from Apps to OID

Other posts which I covered on this topic are

http://onlineappsdba.com/index.php/2008/04/17/migrate-users-tofrom-oid-and-oracle-apps-11ir12/

http://onlineappsdba.com/index.php/2007/09/13/25-things-apps-dba-should-know-for-apps-11ir12-integration-with-oidsso

Reply
Syed says July 14, 2008

Unable to link account. This E-Business Suite user account is marked as a local account.

Dear Atual I implementing SSO on R12
Sapreate Node for APplication Server.

Install AS10g 10.1.4.2 Aplly Required Patches.
Run Registration Script txkrun.pl $FND_TOP/bin/txkrun.pl -script=SetSSOReg

Then i check url Getting SSO Login Page. when i use R12 user Ac. I got Below Error.

Unable to link account. This E-Business Suite user account is marked as a local account.

Thanks in Adv.

Reply
mehmood says September 12, 2008

We have got one problem, one of our user got removed from SSO, but we have no clue who did this, and how it was done, in this scenario how can you find / debug this issue??

regards

Reply
Atul says September 13, 2008

Mehmood,

You need to enable auditing on ldap server (OID for SSO) to find out such cases in future.

1. Select audit for “delete” event in OID to record delete in OID
In OID Manager (oidadmin), expand Oracle Internet Directory Servers and select the directory server instance.
In the right pane, select the Audit Mask Levels tab page. This tab page lists the auditable events. Select
check box against “Delete” and click Apply

2. To search delete events in future
In OID Manager (oiddadmin), expand Oracle Internet Directory Servers and directory server instance.
Select Audit Log Management. In right pane search based on time

For full details check oracle guide here

Reply
Peter Le says October 17, 2008

How do I know if I am using Oracle Portal?
I am using Oracle eBiz and this is the url that I use “http://hostname:port/oa_servlets/AppsLogin” this take to my sso login page. Our user is authenticate with Active Directory thru OID. The seting for your #4 does not work for me. Can you please help?

Reply
Atul Kumar says October 18, 2008

Peter,
Is password stored in OID as well (apart from AD) ?

or

its only in AD and you use OID-AD authentication plugin to authentication

If its later then you can reset password only in AD else use OIDDAS screen

Reply
Peter Le says October 27, 2008

OID only store user info but no password. We want to lock the user with “EXTERNAL” password after # of fail attemp. What do I need to do in OID?

Reply
srihari rao says June 9, 2009

hi atul…

Iam really appriciate with your website …
I got much knoledge for apps fm your blogs..
wne I run bellow query i will reporting some errors

select USER_NAME||’ – ‘||MESSAGE||’ – ‘||to_char(LOG_DATE,’dd.mm.yyyy hh24:mi:ss’)||’ – ‘||IP_ADDRESS “Login Failures”
from ORASSO.WWSSO_AUDIT_LOG_TABLE$
where log_date > (sysdate – 7)
and MESSAGE = ‘Login failed’
order by log_date
/

from ORASSO.WWSSO_AUDIT_LOG_TABLE$
*
ERROR at line 2:
ORA-00942: table or view does not exist

pl let me know how to aviliable above table and run this script completly…

My inveronment is 11.5.10.2 db 9.2.0.6 on linux…

Tks

Srihari …

Reply
Atul Kumar says June 9, 2009

@Srihari
ORASSO schema is under OID/SSO database and applicable only if your 11i (apps) is integrated with OID/SSO

Reply
rzilist says December 22, 2009

Hi Atul,
Nice article! Do you, by any chance, know how would I notify user and an Admin via email that the account has been locked?
Thanx Roman

Reply
mohammedosmanali@gmail.com says January 25, 2010

I am working as Oracle Apps DBA, I want to know how to unlock an user account, if the user complains on Lock, Please tell me the procedure to unlock the account from back-end or from sysadmin GUI Based.

Reply
Mahendra says October 1, 2010

I faced same issue today and this helped me..Good one Atul. Thanks..

Reply
sandy says March 7, 2011

We are using OAM 10g and OVD 11g and OID 11g.
We have a requirement to lock the user account after 5 unsuccessful attempts for 30 minutes once its locked and should be unlocked automatically after 30 minutes. I have created the password policy in OAM and which is updating the “ob” attributes in OID.
Issue we have is, In OAM password policy we can give minimum 1 hour of account lock duration and in OID I can give 30 minutes as lockout time. How can I set account lock duration in OAM as 30 minutes?

Reply
Zeh says September 21, 2011

Hi Atul,

I’m trying to control and show to the user his bind attempts, but im doing this by checking the audit_log_table. The problem is that i have to control this in a cicle of 24 hours.
Is there a way to query for this value on OID tables to know how many attempts user still have?

Having a way to query for this value will work a lot better than just querying on audit_log_table. Since is the value of attempts on OID.

Thanks. Zeh

Reply
Sudipto says November 19, 2012

Hi – Nice article. Do you know of a way in which we can programmatically lock the user account .
Details here – https://forums.oracle.com/forums/thread.jspa?threadID=2465724&tstart=0

Reply
mark says July 23, 2013

Hi. I wonder if you can help me to point in the right direction. I implemented SSO , OID, OAM with R11. Now I’m trying to integrate it with WNA to allow unchallenged access to EBS. We used MS AD as identity store and samaccountname is not the same as user_name in FND_USER and we don’t have orclguid field in AD. May be you can advise how to integrate AD, OID. Or OID is supposed to be an integral part of any SSO implementation.

Thanks

Reply
Add Your Reply

Not found