In this post, I discuss how to troubleshoot Account Lockout Policy issues with Commerce.

WebSphere Commerce provides the ability to create account lockout policies to prevent users from continuously attempting to logon to the site with invalid credentials.  Additional information on Account Lockout policies can be found here in Knowledge Center.  Below are several things to validate when you feel your account lockout policy is not functioning as intended.

Validate your Account lockout mode

Account policies only work when the authentication mode is DB.  Meaning account lockout policies do not work when LDAP is used for authentication.
You can verify your mode of authentication setting in your wc-server.xml

<MemberSubSystem AuthenticationMode="DB" ProfileDataStorage="DB" name="Member SubSystem">

Check the account lockout policy settings for the user

Account lockout policy settings are stored PLCYACCLCK table.  Run the following query to determine the PLCYACCLCK settings for the user you are concerned with:

SELECT LOCKOUTTHRESHOLD, WAITTIME FROM PLCYACCLCK WHERE PLCYACCLCK_ID = (SELECT PLCYACCLCK_ID FROM PLCYACCT P, USERREG U WHERE U.PLCYACCT_ID = P.PLCYACCT_ID AND U.LOGONID = '<Users Logon>')

LOCKOUTTHRESHOLD – this is the number of times a user can consecutively enter a incorrect password before the system lock them out.   Note the word consecutively; meaning once the user authenticates successfully, the previous incorrect attempts reset.

WAITTIME  - this functions to restrict the user from trying to re-logon for a set period of time (seconds) after an invalid logon attempt.

Check the users’ registration record

The USERREG table stores data pertinent to the users current state. 

SELECT STATUS, PLCYACCT_ID, TIMEOUT, PASSWORDRETRIES, PASSWORDINVALID FROM USERREG WHERE LOGONID = '<Users Logon>'

STATUS – contains the users’ current status with the site.  A value of ‘0’ shows the user account is locked and cannot logon.  A value of ‘1’ means the user is enabled.

PLCYACCT_ID – this is the PLCYACCT record which is tied to the user.  This can be used to determine the PLCYACCLCK the user has been associated to.

TIMEOUT – This is the time for which the user cannot log in after a failed attempt to log in

PASSWORDRETRIES – this is number of times the user has unsuccessfully attempted to logon since their last successful attempt.  When the password retries exceeds the PLCYACCLCK. LOCKOUTTHRESHOLD, the account will be locked (STATUS=0)

PASSWORDINVALID – contains the timestamp for the last unsuccessful logon attempt.

Use tracing to determine what is happening

The account lockout policy uses the WC_USER (com.ibm.websphere.commerce.WC_USER=all ) trace to capture what is happening during a logon attempt. 

In the trace, search for the following string:  'com.ibm.commerce.security.commands.LogonCmdImpl.isLogonAllowedNow' 

You will see the following trace pattern with a Entry, Message and Exit. :

com.ibm.commerce.security.commands.LogonCmdImpl.isLogonAllowedNow Entry
com.ibm.commerce.security.commands.LogonCmdImpl.isLogonAllowedNow Last failed logon timestamp is null; returning true
com.ibm.commerce.security.commands.LogonCmdImpl.isLogonAllowedNow Exit

Below are some of the common messages and their meaning the isLogonAllowedNow method will produce:

User Account is disabled

This is telling us the users account is disabled and will not be able to authenticate.  This is due to USERREG.STATUS =0.

Last failed logon timestamp is null; returning true

                This is telling us the users last attempt to authenticate was a success and the user will be allowed to logon

No policy account lockout; returning true

This is telling us the user does not have account lockout policy and will be able to logon.  If you feel the user should have a lockout policy, validate the USERREG. PLCYACCT_ID is set to a valid PLCYACCT record containing a matching PLCYACCTLCK record

Current time is before next allowed time; returning false

This is telling us the user who is trying to authenticate too soon after an invalid password was entered and will not be able to logon.  Meaning the time of logon was prior to the allowed retry time (PASSWORDINVALID + WAITTIME).  Note: This does not count as an invalid or valid logon attempt, so PASSWORDRETRIES will not be adjusted in this case.

Current time is after next allowed time; returning true

 This is telling us the user who is trying to authenticate has waited the necessary time period since their last unsuccessful logon attempt (PASSWORDINVALID).  The application will allow this user to logon.

If you are still unsure, open a PMR with WCS product support

If you are still are unable to determine why your policy account lockout is not functioning as intended, please open a PMR with product support and perform the following steps to assist with analyzing the issue:

1. Enable the following trace: com.ibm.websphere.commerce.WC_USER=all
2. Attempt several logon with the user
3. Provide support your trace.log capturing the above issue
4. Run the following queries and provide support the matching csv's: