Solution:
In alfresco-global.properties
authentication.protection.enabled=false
So now the user can log in after unlocking in ad.
But so we think that the mitigating brute force attack on user passwords in Alfresco does not work correctly.
Mitigating brute force attack on user passwords | Alfresco Documentation
Thanks and regards!
The protection mechanism should be better described. For that I understand only the user should be blocked after 10 unsuccessful login attempts (authentication.protection.limit = 10), but there are no reports of non-authenticating users attempting to log in with the wrong password several times.
Hi:
I think this is not for using audit tools like hydra in an evil way. But I think it may be problematic for the final user, when Alfresco is configured with a complex authentication chain with several user directory origins, and the user is failing several times the real password because he/she needs more coffee...
Regards.
--C.
I have a similar problem and I think it has something to do with ldap-ad. When a user enters an incorrect password, their account gets locked on AD. When they are unlocked on AD, they are still locked on alfresco. The
authentication.protection.periodSeconds=6
settings seems to have no effect, as the account is locked until the alfresco service is restarted.
The solution of :
authentication.protection.enabled=false
works for me too
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.