Solutions

Your account has been locked error when authentication fails in OpenAM 13.5.1

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "Your account has been locked" error when authentication fails in OpenAM 13.5.1, even though the user's account is not actually locked.


Symptoms

The user sees one of the following messages in the browser when they cannot authenticate:

Your account has been locked
This user is not active. Contact your system administrator

The following error is shown in the Authentication debug log when this happens:

amAuth:02/12/2018 10:07:29:742 AM GMT: Thread[http-nio-8080-exec-5,5,main]: TransactionId[ab90253e-462e-4225-8a20-97d329775296-384]
Exception : Your account has been locked.|user_inactive.jsp
amAuth:02/12/2018 10:07:29:743 AM GMT: Thread[http-nio-8080-exec-5,5,main]: TransactionId[ab90253e-462e-4225-8a20-97d329775296-384]
Error retrieving SSOToken :
com.iplanet.sso.SSOException: Session state is invalid. AQIC5wM2LY4Sfcxwo1cOJAMRkbIsn0bS8Pm1IB623MLBCnM.*AAJTSQACMDIAAlNLABMxOTM5OTEyMDI1MjY3NzE4OTc0AAJTMQACMDE.* 
   at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:220)
   at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:184)
   at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:236)
   at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:369)
   at com.sun.identity.authentication.service.LoginState.getSSOToken(LoginState.java:1862)
   at com.sun.identity.authentication.service.LoginState.logFailed(LoginState.java:4405)
   at com.sun.identity.authentication.service.LoginState.logFailed(LoginState.java:4352)
   at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:753)
   at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
   at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
   at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
   at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
...
Caused by: com.iplanet.dpro.session.SessionException: Session state is invalid. AQIC5wM2LY4Sfcxwo1cOJAMRkbIsn0bS8Pm1IB623MLBCnM.*AAJTSQACMDIAAlNLABMxOTM5OTEyMDI1MjY3NzE4OTc0AAJTMQACMDE.* 
...

The user is actually unlocked despite the error (inetUserStatus = Active in DS/OpenDJ). You can check the physical account lockout status of a user in the DS/OpenDJ user store by querying the inetUserStatus attribute using the ldapsearch command as demonstrated in How do I enable account lockout in AM/OpenAM (All versions)? (Checking physical account lockout status).

Note

amadmin can log in because they are stored in the configuration data store rather than a user store.

Recent Changes

Upgraded to, or installed OpenAM 13.5.1.

Added an additional user store(s) to a realm.

Causes

This is known issue OPENAM-10233 (Authentication failing when multiple datastores in realm).

A recent change to fix OPENAM-9849 (isActive check should fail if the user is inactive in any of the configured data stores) did not take account of multiple user stores; this meant a user was treated as inactive if they were not found in the first user store; they were subsequently not searched for in the other user store(s). Users who exist in all user stores can authenticate.

Solution

This issue can be resolved by upgrading to OpenAM 13.5.2 or later; you can download this from BackStage.

Workaround

You can workaround this issue using one of the following approaches:

  • Ensure users exist in all user stores.
  • Remove any additional user stores to leave only one user store.

See Also

How do I remove the embedded DS/OpenDJ (All versions) after migrating to an external instance?

How do I enable account lockout in AM/OpenAM (All versions)?

How do I understand what the user data store is used for in AM/OpenAM (All versions)?

FAQ: Users in AM/OpenAM

Administrator and user accounts in AM/OpenAM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11791 (Authenticating with two or more datastore in OpenAM 13.5.1 , will result in "Your account has been locked" error message)

OPENAM-10233 (Authentication failing when multiple datastores in realm)

OPENAM-7871 (Document the use of multiple identity repository in the same realm)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...