Thursday, November 10, 2011

User Lockout feature in Weblogic Server



In real life projects generally we use LDAP server possibly Microsoft Active Directory (AD) to authenticate and authorize Users security.

One common security policy is to lock the user account after few invalid attempts for some period of time. As a end user and system administrators you think that this is responsibility of  LDAP authentication provider which makes sense.

One should be aware of that in addition to LDAP authentication provider weblogic server also has a user lockout feature which actually locks the user at weblogic level as well when end user tries 5 invalid login attempts  for 30 minutes this is the default behavior.


  • We have default weblogic User lock settings enabled

  • User zbaig tries 5 invalid login attempts and got "Invalid username or password" message in the application

Solution 1 Unlock the user in Weblogic Server:

  • To allow zbaig to login again we need to either wait 30 minutes or unlock the user (default behavior or you can change the settings as per your requirement)
  • To unlock user from weblogic server 
  • Click on your domain name on the left pane in domain structure
  • Go to security tab then unlock user tab 
  • Enter username you want to unlock and press save

  • Try again with user zbaig you will see the welcome page of the application

Solution 2 Disable weblogic locking feature:

  • To allow Active directory to control user account lock and unlock you can disable this feature as shown in the following slide
  • Remove Locked Enabled check box and restart all managed servers including AdminServer

Final thoughts:
Personally i would go for solution 2 for ease of administration in large numbers of users this solution also helps if you have other single sign on solutions for many domains like Oracle access manager OAM.

If you are using embedded LDAP server of weblogic then solution 1 is your only choice :)

Have a nice day,
Zeeshan Baig


  1. Very nice blog, thanks for sharing your knowledge.

  2. Hi Muhammad,

    can you get the LDAP server to send the user an email informing them what to do if they get locked out ?


  3. Hi Mick,

    I don't think WLS provides any automated solution for this. You can probably use custom identity asserter to verify user status but this is just a blind saying. May be Oracle access manager has something.

    If you know anything let me know as well.


  4. Thank you very much. Then how can I catch the exception of locked account? I mean how to tell user that he is locked and should wait for few minutes?

    1. Hi,

      Check the link it might be helpful


  5. Is there a way to programmatically unlock the user?

    1. Hi,

      Yes you can using Java APIs for WebLogic server check this

      Zeeshan Baig

    2. Great to know! Thank you very much Zeeshan!