Configuring Account Lockout
Account lockout is a security mechanism that locks a user after repeated failed login attempts. It is used to slow down brute-force attacks as well as to compensate for weak password policies.
Most deployments use the identity store's password policy to control account lockout. If that is not an option to your deployment, configure account lockout in AM as explained in this section.
AM supports two different approaches to account lockout, where AM locks an account after repeated authentication failures; persistent lockout and memory lockout:
Persistent (physical) lockout sets the user account status to
inactivein the user profile. For persistent lockout, AM tracks failed authentication attempts by writing to the user repository.
Persistent account lockout works independently of account lockout mechanisms in the underlying directory server that serves as the user data store.
Memory lockout locks the user account, keeping track of the locked state only in memory, and then unlocking the account after a specified delay. Memory lockout is also released when AM restarts.
Failed login attempts during the transactional authorization flow do not increment account lockout counters. For more information on transactional authorization, see Transactional Authorization.
If login failures are stored in AM's memory, this may result in user accounts not being locked out even after multiple login failures. To avoid this issue, make sure to implement persistent lockout instead.
To configure account lockout, configure the authentication settings for the realm, as follows:
Access the settings in the AM console under Realms > Realm Name > Authentication > Settings > Account Lockout.
Enable lockout by checking Login Failure Lockout Mode, setting the number of attempts, and setting the lockout interval and duration.
You can also opt to warn users after several consecutive failures, or to multiply the lockout duration on each successive lockout.
(Optional) If you have configured CTS-based or client-based authentication sessions, ensure the Store Invalid Attempts in Data Store switch is enabled. Failure to do so may result in users not being locked out even after multiple login failures.
To save account login failures to the Data Store, enable Store Invalid Attempts in Data Store. This setting is necessary when using CTS-based or client-based authentication sessions. If you do not set this, users might not be locked out, even after multiple login failures.
You can set up email notification upon lockout to an administrator if AM is configured to send mail. You can configure AM to send mail in Configure > Server Defaults > General > Mail Server.
For persistent lockout, AM sets the value of the user's
inetuserstatusprofile attribute to
inactive. You can also specify another attribute to update on lockout. You can further set a non-default attribute on which to store the number of failed authentication attempts. When you do store the number of failed attempts in the data store, other AM servers accessing the user data store can also see the number.
For more information, see "Configuring Realm Authentication Properties".
To unlock a user's account, find the user under Realms > Realm Name > Identities. Select the user you want to unlock, and set their User Status property to Active. Save your changes.
For information on how authentication trees handle account lockout, see "About Account Lockout for Trees".
Customizing Account Lockout Messages
To customize the messages shown to end users when their accounts are locked, follow these steps:
openam-core-7.1.0.jarfile in the
WEB-INF/lib/folder where AM is deployed.
Change the value of the field that controls the lockout message:
If you are using an authentication tree, change the value of the
lockOutfield, for example:
lockOut=Your example.com account has been locked. Please contact your support agent.|user_inactive.jsp
If you are using an authentication chain, change the value of the
112field, for example:
112=Your example.com account has been locked. Please contact your support agent.|user_inactive.jsp
Copy the amended
amAuth.propertiesfile to the
WEB-INF/classes/folder where AM is deployed.
When a user whose account is locked attempts to authenticate, the custom lockout message is displayed: