Hi,
We are currently making use of the Internet Password Lockout feature. However, we have now come across a problem whereby users are locked out when they only type in their password once. Details:
-
Lockout Maximum tries allowed: 4
-
Idle session timteout: 30mins
-
Required change interval: 90 days
-
HTTP_PWD_CHANGE_CACHE_HOURS=12
After 83 days user is prompted to change password. User changes password. Session is then idle for 30 mins. User then prompted to enter password. Enters password. Instantly locked out.
If you take a look at the logs you can see the user attempts to log in and for each design element on the web page the user gets a failure.
05/11/2008 12:48:22 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
05/11/2008 12:48:22 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
05/11/2008 12:48:22 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
05/11/2008 12:48:23 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
05/11/2008 12:48:23 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
05/11/2008 12:48:23 nhttp: Lucy Lambden [111.222.158.66] authentication failure using internet password: User is locked out
We have many logs like this, some with up to 17 messages all on the same second, for the same user. In the month of October we had 600 users forced to change their password, 100 where locked out !
Has any one else experienced this problem ? It does seem to be something to do with users being forced to change their password. Any ideas?
Thanks,
Andy.