User locked out from Crowd due to "Maximum allowed invalid password attempts has been reached error"
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
The Internal User Directory has the feature to set the maximum number of invalid password attempts before the authenticating account will be disabled.
When the above option is set, Crowd internal users will have a maximum allowable consecutive failed attempts to login, before the user is not allowed to login anymore (even if the user finally used the correct password). When a user gets locked out due to this issue. The following is recorded in the Crowd <crowd-home-directory>/logs/atlassian-crowd.logs
1
2
3
2019-07-06 20:34:42,824 http-nio-8095-exec-1 INFO [atlassian.crowd.directory.InternalDirectory] user_name: Maximum allowed invalid password attempts has been reached.
2019-07-06 20:34:42,824 http-nio-8095-exec-1 INFO [crowd.manager.application.ApplicationServiceGeneric] Invalid credentials for user admin in directory Example Company Crowd server (163841), aborting
2019-07-06 20:34:42,852 http-nio-8095-exec-2 INFO [crowd.console.action.Login] The user: 'user_name' attempted to login with incorrect credentialsResolutions
Scenario 1: If there are other administrator users in Crowd and they are able to login.
The administrator user should head over to Users
On the Directory drop down, select the Internal User Directory that the locked user belongs to.
Click Search.
Locate the locked user and click on their Name
Click on the Attributes tab
Change the value of invalidPassswordAttempts to 0 and click Update.
The locked out user will now be able to login with their password, however Crowd will request them to change their password upon first successful login.
Scenario 2: If there are NO other administrator users in Crowd.
In the case that the locked out user is the sole administrator of the Crowd instance, the following queries should used.
⚠️ The procedure below, will involve direct database manipulation. We highly recommend that you backup the database before performing the changes.
To get the Internal Directory ID
1SELECT id FROM cwd_directory WHERE directory_type = "INTERNAL"Get the User ID
1SELECT id FROM cwd_user WHERE lower_user_name = 'add_admin_user_name_here' AND directory_id = <directory_id_from_query_1>;Get the user's attribute InvalidPasswordAttempts record
1SELECT * FROM cwd_user_attribute WHERE user_id = <user_id_from_query_2> AND attribute_name = 'invalidPasswordAttempts' AND directory_id = <directory_id_from_query_1>;The above query will return a record like this
We will need to change the values of attribute_value, attribute_lower_value, and attribute_numeric_value to 0 using the following query:
1UPDATE cwd_user_attribute SET attribute_value = 0, attribute_lower_value = 0, attribute_numeric_value = 0 WHERE id = <attribute_id_from_number_4_above> ;Once the above is performed, the locked out user will now be able to login with their password, however Crowd will request them to change their password upon first successful login.
Was this helpful?