1. Lockout users after 5 failed attempts not working as expected

Mark_Bailey · ‎05-04-2018

I have a request to do:

Lockout users after 5 failed attempts
Unlock user after 30 minutes
Reset failed attempts after 5 minutes.

1 and 2 should be out of box I think using script action: SNC User Lockout Check with Auto Unlock (see script below) I set the value as I understood but my lockout is occurring after 3 failed attempts. Did I set the values wrong? Could there be another place I need to set the values? Any suggestion for number 3?

//

// Check to see if the user has failed to login too many times

// when the limit is reached, lock the user out of the system.

// Also create a trigger to unlock the user after 'N' minutes.

//

lockoutOnFailedLogin();

function lockoutOnFailedLogin() {

var maxUnlockAttempts = gs.getProperty("glide.user.max_unlock_attempts", 5);

var gr = new GlideRecord("sys_user");

if (gr.get("user_name", event.parm1.toString())) {

if (gr.failed_attempts > maxUnlockAttempts)

return;

gr.failed_attempts += 1;

if (gr.failed_attempts > maxUnlockAttempts) {

gr.locked_out = true;

gr.update();

gs.log("User " + event.parm1 + " locked out due to too many invalid login attempts");

gs.addErrorMessage('You have been locked out of the system because of too many failed logon attempts. Please try again in 30 minutes.');

triggerUnlock(gr.sys_id);

} else {

gr.update();

}

function triggerUnlock(userSysID) {

var unlockIn = gs.getProperty("glide.user.unlock_timeout_in_mins", 30);

var trigger = new GlideRecord("sys_trigger");

trigger.name = "Unlock the user after "+ unlockIn + " mins";

trigger.next_action = getTriggerTime(unlockIn);

trigger.job_id.setDisplayValue('RunScriptJob');

trigger.script = getTriggerScript(userSysID, gs.nowNoTZ());

trigger.document = 'sys_user';

trigger.document_key = userSysID;

trigger.state = 0;

trigger.trigger_type = 0;

trigger.insert();

}

function getTriggerScript(userSysID, now) {

var ret = ""

+ "var gr = new GlideRecord('sys_user');\n"

+ "gr.addQuery('sys_id', '" +userSysID+ "');\n"

+ "gr.addQuery('locked_out', true);\n"

+ "gr.addEncodedQuery('sys_updated_on <= "+now+"');\n"

+ "gr.query();\n"

+ "if (gr.next()) {\n"

+ "gr.locked_out = false;\n"

+ "gr.failed_attempts = 0;\n"

+ "gr.update();\n"

+ "gs.log('Auto-unlocking user '+gr.name);\n"

+ "} else {\n"

+ "gs.log('Unable to auto-unlock user with sys_id: "+userSysID+"');\n"

+ "}";

return ret;

}

function getTriggerTime(minutesToAdd) {

var checkTime = new GlideDateTime(/*now*/);

checkTime.addSeconds(minutesToAdd * 5);

return checkTime;

}

Jace Benson · ‎05-04-2018

Source: https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/security/task/t_L...

So you should be able to change property glide.user.max_unlock_attempts to 5 and that should take care of 1 and 2.

You also should be able to change property glide.user.unlock_timeout_in_mins property to 5 and that should take care of 3.

No code changes should be required to make this occur.

View solution in original post

Les1 · ‎11-15-2018

The properties glide.user.unlock_timeout_in_mins & glide.user.max_unlock_attempts were both missing for my production instance. Is it normal for properties like this to be missing? It would be helpful if the documentation could remind that admins can just create the property if missing, i'm always cautious about trying to add things like this without actual direction.

Jace Benson · ‎11-15-2018

In these cases of properties being mentioned in documentation and not existing in your environment, you just need to create them. Chances are the code uses the property or the default value, so the property is more of a override, and not something necessary to work.

Les1 · ‎11-15-2018

I tried turning on the script action: SNC User Lockout Check with Auto Unlock hoping that it would unlock and activate a mass of users that for some reason had become locked and inactive.

However after enabling the script, i did not see it perform in this manner so perhaps i misunderstand how it is expected to perform.

I also wasn't sure if the glide.user.unlock_timeout_in_mins should be an integer or string (looking back at this thread though i see it needs to be Integer). Again, if they'd add that kinda stuff to documentation, would be helpful, particularly for new admins.

Sidu · ‎02-18-2022

Hi Mark,

I recently ran into the same issue as you mentioned. Even the value is set to 5, the account is getting locked in the 3rd attempt. The reason I found is we have 2 script actions in place 'SNC User Lockout Check' and 'SNC User Lockout Check with Auto Unlock' where we are incrementing the 'failed_attempt' by 1. Since both are running in the background it is setting the 'failed_attempt' value to 2 for each failed attempt. And after 2 failed attempts the count goes to 4 and it locks out the user in the 3rd attempt as it reaches 6 (which is greater than max login attempts i.e; 5 in our case). I tried deactivating the 1st one as the script is already part of 2nd script action and working as expected.

I know it's too late to respond but it might be helpful for others.

Thanks,

Sidu