User account keeps getting suspended

[Ricky Watts]

One of our user accounts has got suspended several times now and I'd like to figure out why.  I suspect he just keeps entering the wrong password, but can't find anything in the logs that confirm this.  Are there any logs that show why an account has been suspended?  Also are there any other reasons that the system would suspend an account?

[TrevorKillick]

Hi @Ricky Watts

There are two way a user account can become suspended either through incorrect password attempts or an administrator manually changing the account status to suspended.

If you have Direct Database Access enabled you can query the h_sys_security_log table and see the incorrect attempts for a user, they will also show in the EspServerService log available from the admin tool. 

Kind Regards

Trevor Killick

[Ricky Watts]

That's exactly what I was after, thank you 

 

I've just checked the h_sys_security_log table and it confirms the user did have multiple unsuccessful login attempts before their account was suspended.  I did think that was the case but wanted to confirm that as I'm sure he'll insist he's entering the right password.  Thanks again.

[Steve Giller]

I've just had a suspended user - I have no records in h_sys_security_log that mention her (or, indeed, any entries since 11/2016!)

Is there a way to filter to the relevant entries in EspServerService (or is that pointless as they wouldn't be in one and not the other) rather than trawl through the logs?

Finally, aside from password attempts (we use SSO, so that's unlikely) and manual change, could anything else cause this? I certainly didn't do it and I just want to check nothing else could cause it before I go and start pointing fingers in a shouty manner ...

[Guest Ehsan]

@DeadMeatGF

Is the user suspended or is the user not able to login to Hornbill? Is it possible that it is down to subscriptions? For example, I'm using 3 of 1000 subscriptions on my instance. If I was utilising 1000 / 1000 subscriptions, user 1001 would not be able to login.

[Steve Giller]

Suspended - I hit the refresh icon and she reactivated and could log in immediately.

[Guest Ehsan]

Does the user use the Mobile App? That could lock a user out, if incorrect password attempts are made.

[Steve Giller]

She's service desk, I will check but it's unlikely - and we register mobile devices through the QR code in the web client rather than by signing in.

[Update] @Ehsan I have checked, and the device is registered with the QR code rather than signing in with username/password.

[Steve Giller]

Also - would a failed app login appear in the logs? If so, where can I check?

 

[Guest Ehsan]

You should see an entry like below...

[Steve Giller]

I'm going to assume it's the block that I've attached - although if there was an indication of the username in the error it would be easier to be certain.

Any reason why this would occur with SSO in the client and a registered mobile device - you shouldn't be able to enter invalid credentials in either of those situations, should you?

[Guest Ehsan]

@DeadMeatGF As you can see from the log, 3 wrong attempts were made to login and then the account was suspended. You're right - about a registered Mobile device but if the QR code didn't work for particular reason (e.g. Privacy settings was turned off on the phone, the user has  the option to enter login details manually. 

[Guest Ehsan]

Also if you login to Hornbill externally (i.e. not inside your Network or through the browser on your Mobile device), you'll be prompted to enter login details.

[Steve Giller]

I've identified the problem - the user is having to (?) log in manually every time. I'm not sure why, because we're set up for SSO, but I've got the team investigating that from our end.