How Does Account Lockout Work?

The Commerce Server Membership Provider tracks failed password attempts and failed password answer attempts. When the maximum number of attempts has been reached, Commerce Server Core Systems locks a user's account according to the following algorithm:

1. The threshold for number of allowed bad passwords within a time window is based on the provider’s MaxInvalidPasswordAttempts and PasswordAttemptWindow configuration attributes. Both password attempts and password answer attempts are tracked using the same configuration attributes. However, bad password attempts and bad password answer attempts are not cumulative. For example, if the value for MaxInvalidPasswordAttempts is five, a user can make three failed login attempts followed by four failed password answer attempts. Because the limit for each type of failure is below the threshold, the account is not locked out.

   Note

   Account lockout can be turned off by removing the ProfileSystem.logon_error_dates and ProfileSystem.last_lockedout_date properties from the user profile.

2. Each time a programmatic method that is affected by the account password or password answer is executed, Commerce Server Core Systems must first confirm that the account is not locked out. If the account is locked out, logon attempts fail until one of the following conditions exist:

   • (Current date and time — LastLockoutDate) >= (PasswordLockoutPeriod).

   • If PasswordLockoutPeriod = 0, the lockout is permanent until UnlockUser is called.

   Note

   The value for PasswordLockoutPeriod is in minutes.

3. If the account is not locked out, each time a programmatic method that is affected by the account password or password answer encounters an invalid value, the provider must perform the following logic:

   1. Determine the current time.

   2. Append the current invalid logon time to the logon_error_dates property for passwords or the password_answer_error_dates property for password answers. Both properties are in the UserObject Profile Schema. These values are stored until they reach the value set in MaxInvalidPasswordAttempts.

   3. If there are prior MaxInvalidPasswordAttempts as defined in the PasswordAttemptWindow property, then the IsLockedOut property for the user is set to True and the LastLockoutDate property is set to the current date.

   Note

   Bad password answer tracking occurs only if password question and answer are required.

4. If the logon is successful, the logon_error_dates and password_answer_error_dates properties in the UserObject Profile Schema are cleared.

See Also

Other Resources

Authentication Concepts and Tasks

How to Enable Logons by Using the Commerce Server Membership Provider