Skip to Content

Enabling automatic password unlocking

 

When your BMC Helix Innovation Suite account is locked due to failed password attempts, the account is automatically unlocked after a predefined time interval. You need not contact an administrator to unlock the account.

Administrators can use the Centralized Configuration to set the maximum number of incorrect password attempts and the unlock interval.

Automatic password unlocking helps protect your environment from brute-force attacks while reducing the need for manual account recovery.

Related topics

Setting-up-passwords-and-their-policies

Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite

Forcing-users-to-change-their-passwords

Account lockout and automatic unlock work only for AR System users who are defined in the AR System User form and authenticated directly by the AR System server. For environments using Helix Single Sign-On (HSSO) with an external Identity Provider (IdP), such as Azure AD, LDAP, or SAML, the account lockout and unlock settings must be managed within the IdP.

 

Information
Example

Allen Allbrook, an administrator at Apex Global, configures automatic password unlocking for internal users authenticated via AR System Authentication.
Allen sets the value of the Max-Password-Attempts setting to 3, meaning a user account will be locked after three incorrect password entries. He also sets the Max-Unlock-Attempts to 3, allowing the system to automatically unlock the account up to three times after the specified unlock time interval. The unlock time interval is defined using the Auto-Time-To-Unlock setting in the Centralized Configuration, which Allen sets to 600 seconds

 

To enable automatic password unlock for BMC Helix Innovation Suite account

To enable automatic password unlocking, administrators use the following settings in the Centralized Configuration:

Setting name

Default value

Description

Max-Password-Attempts3

Number of incorrect password attempts before the account is locked.
For more information, see Configuration settings E-M

Max-Unlock-Attempts

5

Number of times the account is automatically unlocked.
For more information, see Configuration settings E-M

Auto-Time-To-Unlock

600 seconds

Time interval after which the account is automatically unlocked.
For more information, see Configuration settings A-B

Consider the following points when you enable automatic password unlocking:​​

  • The time interval for automatic account unlocking increases in multiples of the initial value set in the Auto-Time-To-Unlock setting. This progressive delay helps prevent brute-force attacks by slowing down repeated login attempts.
    For example, consider the following configuration:

    Auto-Time-To-Unlock = 600 seconds
    Max-Unlock-Attempts     = 3
    Max-Password-Attempts     = 3 (required for automatic unlock to work)

    You have three chances to log in. If all three attempts have incorrect passwords, your account will be locked. After the first lockout, the account automatically unlocks after 600 seconds. If you enter incorrect credentials again and trigger a second lockout, the account unlocks after 1200 seconds (600 × 2). On a third lockout, the unlock time increases to 1800 seconds (600 × 3).

  • If you exceed the value set for the Max-Unlock-Attempts setting, your account gets locked. You must contact your administrator to unlock the account. 
  • During business hours, if the administrator changes the value of the Max-Unlock-Attempts setting, the system honors the current value. 
    For example, if you update the value of the Max-Unlock-Attempts setting to 3 from 5 during business hours, the account gets locked at the fourth incorrect password attempt.

Troubleshooting issues with account lockouts

If your account is locked due to multiple incorrect password attempts, you might see error 624. For more information, see Error messages 601 to 700.

Review the following knowledge article for steps on how to unlock the account:
BMC Helix ARSystem - ARSystem administrator cannot login

 

To track user account activity

Track logs of incorrect password attempts through the AR escalation logs stored in the db folder.

The following screenshot shows the escalation logs:

user_account_unlock.png

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Innovation Suite 25.4