It came back to me from PROD saying it didn’t pass some last minute tests. After 5 attempts to login to the system user account was locked as it was expected but remained locked for much longer which was an unpleasant surprise to me.
I remember setting login attempts to 1000 on the request from business on UAT and accidentally moving it to PROD like this. Our portal isn’t live yet so I wasn’t too concerned in general but deeply disturb by the fact that figure “5” and figure “1000” are two very different figures. Therefore something went fundamentally wrong.
After looking a bit closer I realised I must’ve been looking at wrong setting all this time. Last 3 settings in this list from the bottom to the top:
MaxInvalidAttemptsFromIPAddress is a number of login attempts, 1000 in our case, we allow from the same IP address not necessarily using the same User Name and Password. If it’s happening for MaxAttemptsTimeLimitTimeSpan, 3 minutes, then none of logins will be allowed from this IP Address for the next IpAddressTimeoutTimeSpan, 10 minutes.
If you aren’t a horrible script or bot we don’t expect you to bombard a portal like this. Go and chill for 10 minutes!
So what about 5 attempts? As a developer I like all sort of magic figures. I checked for settings to find out that none of the relevant once pointed to 5. So there are other settings somewhere which exist in a different dimension, joking. Here they are!
These settings were aren’t specified in the system explicitly but they were set to defaults. Let me repeat it again: these settings were aren’t in the list of Site Settings but they were applied still. I “visualised” them by creating them explicitly to not get confused ever again.
MaxFailedAccessAttemptsBeforeLockout is 5. If you try to login to a portal 5 times with the same User Name unsuccessfully you will be locked for DefaultAccountLockoutTimeSpan time. We were very unlucky to have this setting to be defaulted to 24 hours. This is how we’ve learnt!
As admin you can always unlock anyone from the CRM side by clearing value on the Portal Contact form for the Contact which was locked out.
Don’t forget to clear portal cache.