This is the documentation for SuperSTAR 9.8

SuperSTAR 9.9 is now available.
View this page in the SuperSTAR 9.9 documentation or visit the SuperSTAR 9.9 documentation home.

Skip to end of metadata
Go to start of metadata

To help protect your user accounts from unauthorised access, you can configure SuperADMIN to lock the account if the wrong password is entered more than a certain number of times.

Configure Account Lock Settings

Use the account command to configure the settings for account locking. You can choose:

  • How many times the wrong password can be entered before the account will be locked.
  • What happens if an account does become locked: you can either set the account to automatically unlock again after a certain period of time, or you can specify that accounts never become unlocked automatically (in this case an administrator will have to manually unlock the account).

Use the following commands to configure the account lock settings:

CommandDescription
account maxattempts <value>
Sets the default number of failed login attempts before an account will be locked. This will be the default setting and will apply to all users unless a different setting has been specifically applied to an individual user account.
account <id> maxattempts <value>
Sets the maximum number of failed login attempts before an account will be locked. This is the same as the previous command, except that it applies to a specific user account only.
account locktime <seconds>

Sets the number of seconds to lock an account once the user has exceeded the maximum failed login attempts. During this time the user will not be able to login even if they specify the correct credentials.

For example, if maxattempts is set to 3 and locktime is set to 600 then a user who enters their password incorrectly 3 times will be locked out for 10 minutes before they can log in again.

If you set locktime to 0 then an account that becomes locked will never be unlocked automatically. An administrator user will need to unlock the user account manually in SuperADMIN using the unlock command.

account <id> locktime <seconds>
Sets the number of seconds to lock an account. This is the same as the previous command, except that it applies to a specific user account only.

In order to use the account command to manage a user's account, you must be logged in to SuperADMIN with an administrator account from the same authentication service as the account you are administering.

For example, if the account is managed through Active Directory, you must be logged in as an administrator account that belongs to the same Active Directory service.

Check if an Account is Locked

To check if an account is locked, open accountCatalog.xml in a text editor and search for the record relating to the user's account. This file is updated every time a user attempts to log in to the SuperADMIN console or one of the clients. By default, it is located in C:\ProgramData\STR\SuperADMIN\server\data\.repository\

For example:

<account:user attempts="5" authenticationService="STRLocal" displayName="John Smith" 
              id="jsmith" lastAttempt="1381375248927" locked="true" 
              locktime="-1" maxattempts="3"/>

In this example the user's account is locked (locked="true").

This file also tells us what authentication service the account is using (in this case it is STRLocal, the internal authentication service). To unlock this account in SuperADMIN you must log in as an administrator from the same authentication service as the locked account. This is particularly important if you are using an external authentication service such as LDAP or Active Directory. See the section below for more details.

Unlock an Account

If an account becomes locked, you can manually unlock it using the following command (replace <id> with the ID of the locked user account):

account <id> unlock

For example:

> account jsmith
[User Account : 'John Smith' (id:jsmith) (locked) ]
> account jsmith unlock
> account jsmith
[User Account : 'John Smith' (id:jsmith) ]
>

Important Note if using an External Authentication Service

When managing user accounts, you must ensure you log in to SuperADMIN using an administrator account that belongs to the same authentication service as the user you want to manage.

For example, if you have a user with a locked account, and that user is defined in Active Directory, then you must log in to SuperADMIN using an administrator account that belongs to the same Active Directory authentication service as the locked user.

You can check what authentication service the locked account uses by looking at the record in accountCatalog.xml.

For example:

<account:user attempts="5" authenticationService="ActiveDirectory" displayName="John Smith" 
              id="jsmith" lastAttempt="1381375248927" locked="true" 
              locktime="-1" maxattempts="3"/>

In this example the locked user's account is authenticated through Active Directory. To unlock this account you must login as an administrator account from the same Active Directory authentication service.

If you are using multiple external authentication services then you need to be careful to ensure you login using the right one.

This is particularly relevant if you also have Kerberos configured for single sign on (because logging in through Kerberos may log you in to the wrong one, depending on which authentication service has been set up to use Kerberos).

The easiest way to ensure a non-Kerberos login is to make sure you specify the username and password as arguments to the login command:

> login aduserid aduserpassword