User locked out from Crowd due to "Maximum allowed invalid password attempts has been reached error"
The Internal User Directory has the feature to set the maximum number of invalid password attempts before the authenticating account will be disabled.
When the above option is set, Crowd internal users will have a maximum allowable consecutive failed attempts to login, before the user is not allowed to login anymore (even if the user finally used the correct password). When a user gets locked out due to this issue. The following is recorded in the Crowd
2019-07-06 20:34:42,824 http-nio-8095-exec-1 INFO [atlassian.crowd.directory.InternalDirectory] user_name: Maximum allowed invalid password attempts has been reached. 2019-07-06 20:34:42,824 http-nio-8095-exec-1 INFO [crowd.manager.application.ApplicationServiceGeneric] Invalid credentials for user admin in directory Example Company Crowd server (163841), aborting 2019-07-06 20:34:42,852 http-nio-8095-exec-2 INFO [crowd.console.action.Login] The user: 'user_name' attempted to login with incorrect credentials
Scenario 1: If there are other administrator users in Crowd and they are able to login.
- The administrator user should head over to Users
- On the Directory drop down, select the Internal User Directory that the locked user belongs to.
- Click Search.
- Locate the locked user and click on their Name
- Click on the Attributes tab
- Change the value of invalidPassswordAttempts to 0 and click Update.
- The locked out user will now be able to login with their password, however Crowd will request them to change their password upon first successful login.
Scenario 2: If there are NO other administrator users in Crowd.
In the case that the locked out user is the sole administrator of the Crowd instance, the following queries should used.
The procedure below, will involve direct database manipulation. We highly recommend that you backup the database before performing the changes.
To get the Internal Directory ID
SELECT id FROM cwd_directory WHERE directory_type = "INTERNAL"
Get the User ID
SELECT id FROM cwd_user WHERE lower_user_name = 'add_admin_user_name_here' AND directory_id = <directory_id_from_query_1>;
Get the user's attribute InvalidPasswordAttempts record
SELECT * FROM cwd_user_attribute WHERE user_id = <user_id_from_query_2> AND attribute_name = 'invalidPasswordAttempts' AND directory_id = <directory_id_from_query_1>;
- The above query will return a record like this
We will need to change the values of attribute_value, attribute_lower_value, and attribute_numeric_value to 0 using the following query:
UPDATE cwd_user_attribute SET attribute_value = 0, attribute_lower_value = 0, attribute_numeric_value = 0 WHERE id = <attribute_id_from_number_4_above> ;
- Once the above is performed, the locked out user will now be able to login with their password, however Crowd will request them to change their password upon first successful login.