When A User Account Is Locked Out, The Account Credentials Are Still Validated Against The Backend System (Doc ID 2029248.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.

Goal

WebLogic has a concept of user lockouts in its security realm. That is, after a certain number of failed authentication requests, the user is locked out for a specified period of time. The customer would not expect any more traffic to be hitting the backend system (LDAP server, AD and so forth). An Oracle white paper describes this behavior: "Once the account has been soft locked in WebLogic runtime, it does not try to validate the account credentials against the backend system, thus preventing it from being permanently locked" (Diagnosing Intermittent Authentication Failures and User Lock-Outs in Oracle WebLogic). However, even when a user account is soft locked in WebLogic runtime, account credentials are still validated against the back-end system.

Why is a locked account still authenticated against the backend system?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms