10 Replies Latest reply on Jan 4, 2021 4:16 AM by Shriharsha Manjunath

    MDM User lock out issue

    swathi s Seasoned Veteran

      Hi ,

      We have been facing a strange issue off-late.  We have a User ID created in MDM for real-time services orchestrated through IIB and SIF calls executed through INFA power center. Currently we are working on MDM 10.3 HF3.

      Frequently, the user account created for real-time and SIF processing is locked out. The default setting is to lock out the account after 10 failed attempts. We are not able to trace the process that is triggering the log-in and causing the lock out issue.

      Any pointers to help us resolve the same are much appreciated.

      Note: Along with the real time user , one of the data stewards account too is getting locked out frequently despite minimal activity.

        • 1. Re: MDM User lock out issue
          Subbu K Guru

          There are two different scenarios,

          1. Since you have only minimal activity, then the actual error might be different but it is being incorrectly shown as a user locked out error. In that case, are you able to run the same job after some time without unlocking the user? Also, once you get the locked out error message, can you confirm what is the number on the field FAILED_LOGIN_ATTEMPTS in the C_REPOS_USER table for this particular user? If this number is very less than 10, then we need to assess the original root cause by analyzing the log file. The log may have the original error just before the lock error.

          2. There could be a real locking error. The error might have caused by incorrect login (internally) from internal processes like ActiveVOS. In this case, you cannot re-login without unlocking the user and the FAILED_LOGIN_ATTEMPTS should have a value of 10.

           

          Can you confirm the above?

          FAILED_LOGIN_ATTEMPTS value in the C_REPOS_USER table.

          • 2. Re: MDM User lock out issue
            swathi s Seasoned Veteran

            Hi Subbu K,

            Thank you for taking time to reply. We have an automated process set up to query the C_REPOS_USER table and send an email alert when a particular user accounts failed login attempts exceeds 10. This is an issue with the number of failed attempts , however we are not able to figure out the process triggering the login.

            Also, strangely, the issue occurred for one of the developers user id(LDAP) authentication. The credentials aren't cached in any process or even hardcoded in any external process. This is a bit of baffling situation we have at hand.

             

            PS: We have an active case being worked on by INFA and we are yet to figure out the root cause.

            • 3. Re: MDM User lock out issue
              Priyesh Gupta Seasoned Veteran

              Hi  Swati,

               

              By any chance , is task assignment  demon is running in your  environment , if yes try to disable it and let see the change .

               

              sip.task.assignment.interval=0  you can check this parameter in cmxserver.properties file .

               

              Regards,

              Priyesh

              • 4. Re: MDM User lock out issue
                swathi s Seasoned Veteran

                HI Priyesh,

                Thank you for replying. The task assignment interval is set to 10 as we have some BeMerge tasks running for data stewards.

                Can you give me little more insights into how the task assignment demons impact the user id, specifically only 2 users id's, one of them being a developers credentials  with LDAP authentication.  II would like to understand the scenario little more.

                • 5. Re: MDM User lock out issue
                  Priyesh Gupta Seasoned Veteran

                  Hi  Swati,

                   

                  If it is specific to only two users , then task demon will not be the problem .

                   

                  Better to reset the passwords for these two specific user once and let see the result .

                   

                  Regards,

                  Priyesh

                  • 6. Re: MDM User lock out issue
                    swathi s Seasoned Veteran

                    Hi Priyesh,

                    we did try resetting the passwords and still we see the issue recurring.

                    • 7. Re: MDM User lock out issue
                      Priyesh Gupta Seasoned Veteran

                      Hi  Swati,

                       

                      Is these users are LDAP base users  or hub user ?

                       

                      Also try to set the PASS_MAX_Failed_Logins to some higher value  like 100+ .

                      • 8. Re: MDM User lock out issue
                        swathi s Seasoned Veteran

                        They are LDAP users. Sure , will try changing  PASS_MAX_Failed_Logins value. Is there any other way to find the RCS for the issue as this is occurring during the non-business hours when the actual users are offline

                        • 9. Re: MDM User lock out issue
                          Subbu K Guru

                          Couple of things you can do,

                          a) Enable the audit for Authenticate Request - This will capture all the requests and the timestamps

                          b) Work with the support team to set up a database trigger on the field update of FAILED_LOGIN_ATTEMPTS. This will capture the instances when this field is updated with or without the authenticate request by any chance.

                           

                          I can understand the internal service user being locked out (potentially due to task-related authentication issues, thus the recommendation to switch off the task daemon to test it). But your LDAP user locked out is weird. I don't think both are related and mostly the LDAP user locked out could be a manual error. You can closely watch the LDAP user issue again.

                          • 10. Re: MDM User lock out issue
                            Shriharsha Manjunath Seasoned Veteran

                            Adding to creating trigger collect the timestamp when failed_login_attempts got increased and share us both cmxserver and application server logs.