My Oracle Support Banner

Profile Option: Signon Password Failure Limit Not Working Correctly And Users Are Still Able to Log in When Account is Locked (Doc ID 2579955.1)

Last updated on AUGUST 28, 2019

Applies to:

Oracle Application Object Library - Version 12.2.6 to 12.2.8 [Release 12.2]
Information in this document applies to any platform.

Symptoms

On : 12.2.6 version, IAS for Applications Technology

 

We recently changed the profile option "Signon Password Failure Limit" to 5 at the Site Level, however, some users are getting locked out after 3 login attempts.  

Also, after password reset to unlock the user account, some users would get locked out again after 2 more login attempts.  

It seems that the password failure limit is not "resetting" to zero after the user account is locked out.

Applied patch 28292585 noted in Doc ID 2498718.1 in a test instance, but that did not fix the issue.




STEPS
-----------------------
The issue can be reproduced at will with the following steps:

Scenario1:

1.  Set profile option "Signon Password Failure Limit" to 5 at site level.

2.  Users are locked out after 3 unsuccessful attempts.

 

 

Scenario 2:


1.  Set profile option "Signon Password Failure Limit" to 5 at site level.
2.  Attempt to login with the wrong password 5 times in MS Internet Explorer (v11).
3.  Then try to login with the correct password on the 6th attempt, and it does NOT login.  So user appears to be locked out but is not.
4.  Check the User record (System Administrator > Security > Define > User) and status is still Active (not Locked as would be expected).
5.  Attempt to login again with the correct password using Mozilla Firefox (v56.0) and was able to login successfully.  

 

Note:  This would be the 7th attempt and user should be locked after 5 attempts per profile setting at 5.

User logs in with incorrect password 5 times and appears to be locked out during login (this is evidenced by not being able to login on the 6th attempt) but the Define form shows user as still active.

---Because user’s account is unstable it appears to be locked out, this is a reset because user cannot log in.

However, user logs in again with correct password (now 7th  attempt) and user is able to login.

User should not be able to login as the user should be locked out because user account was already locked on the 6th attempt.

 





Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.