In this specific environment, Portal is configured with the Active Directory (AD) LDAP. The AD LDAP is set up to allow 5 invalid attempt. During troubleshooting Portal support suggested that customer tested with authentication with AD directly, and it indeed allowed up to 5 invalid attempts. Whereas, Portal would lock the user account at 3rd attempt to login to Portal, after 2 failed attempts.
Customer also has a Test environment with similar Websphere/Portal version, but the problem did not exist there: users could still log in to Portal at 5th attempts in the Test environment server.
Support then found that in the Test environment (which was working correctly), the LDAP host name pointed to a single LDAP server. Whereas, in the Production environment (where the problem occurred), the LDAP host name pointed to the LDAP Domain Controller.
A review of Portal login traces showed the following:
---------------------------------------
[10/18/11 15:51:19:545 PDT] 00000062 ltpaLoginModu 3 Authenticating "WPS/e123456"
[10/18/11 15:51:19:545 PDT] 00000062 LTPAServerObj > authenticate Entry
[10/18/11 15:51:19:545 PDT] 00000062 UserRegistryI > checkPassword Entry e123456
**** ....... [10/18/11 15:51:28:107 PDT] 00000062 ltpaLoginModu 3 Authenticating "WPS/e123456" [10/18/11 15:51:28:107 PDT] 00000062 LTPAServerObj > authenticate Entry [10/18/11 15:51:28:107 PDT] 00000062 UserRegistryI > checkPassword Entry e123456
**** [10/18/11 15:51:28:107 PDT] 00000062 LdapRegistryI > checkPassword Entry e123456
[10/18/11 15:51:28:116 PDT] 00000062 LdapRegistryI 3 Found user CN=Test User(E123456),OU=EAST,OU=SALES,DC=IBM,DC=COM
[10/18/11 15:51:28:117 PDT] 00000062 LdapRegistryI 3 enterJNDI:WebContainer : 1 [10/18/11 15:51:28:146 PDT] 00000062 LdapRegistryI 3 exitJNDI:WebContainer : 1 [10/18/11 15:51:28:146 PDT] 00000062 LdapRegistryI < checkPassword Exit javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1772 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3045) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991) ... --------------------------------------------- "When single LDAP hostname is mapped to multiple IP address in network configuration, If invalid password is entered at the time of login, WebSphere makes LDAP bind retries as many times as (number of associated ip addresses + 1) This may cause LDAP account lockout." The following custom properties are introduced to prevent the issue from happening. It depends on the LDAP failover configuration to choose which property to use. 1. If LDAP failover is configured by registering backend LDAP server hostnames using wsadmin command, set the following property to true by going Security --> User Registries --> LDAP --> Custom Properties in the WAS administrative console. com.ibm.websphere.security.registry.ldap.singleLDAP If this property is set to true, Application Server does not resolve an LDAP hostname to multiple IP addressed. The default value for this property is "false". 2. If LDAP failover is configured by associating hostname with mutlipe IP addresses using network configuration, set the following property to false by going Security --> User Registries --> LDAP --> Custom Properties in the WAS administrative console. com.ibm.websphere.security.ldap.retryBind If this property is set to "false", Application Server does not retry LDAP bind calls. The default value for this property is "true".