Account Lockout
To improve security in the Informatica domain, an administrator can enforce lockout of domain user accounts, including other administrator users, after multiple failed logins.
The administrator can specify the number of failed login attempts a user can make before the user account is locked. If an account is locked out, the administrator can unlock the account in the Informatica domain.
When the administrator unlocks a user account, the administrator can select the "Unlock user and reset password" option to reset the user password. The administrator can send an email to the user to request that the user change the password before logging back into the domain. To enable the domain to send emails to users when their passwords are reset, configure the email server settings for the domain.
If the user is locked out of the Informatica domain and the LDAP server, the Informatica administrator can unlock the user account in the Informatica domain. The user cannot log in to the Informatica domain until the LDAP administrator also unlocks the user account in the LDAP server.
Note: If the Informatica domain uses Kerberos network authentication, you cannot configure lockout for user accounts. The Account Management view is not available in the Security tab of the Administrator tool.
Configuring Account Lockout
Select the account lockout options to lock out user accounts in the Informatica domain after multiple failed logins.
1. In the Administrator tool, click Security > Account Management.
2. In Account Lockout Configuration section, click Edit.
3. Set the following properties:
Property | Description |
|---|
Enable Account Lockout | Enforces lockout of an Informatica domain user account after a specified number of failed logins. By default, this option does not enforce lockout of administrator user accounts. You must select the Enable Admin Account Lockout option to enforce lockout for administrator user accounts. |
Enable Admin Account Lockout | Enforces lockout of an Informatica domain administrator user account after a specified number of failed logins. You must select the Enable Account Lockout option before you can enforce lockout for administrator user accounts. |
Maximum Login Attempts | Specifies the maximum number of consecutive login failures allowed before a user account is locked out of the Informatica domain. |
Rules and Guidelines for Account Lockout
Consider the following rules and guidelines when you enforce account lockout for Informatica users:
- •If an application service runs under a user account and the wrong password is provided for the application service, the user account can become locked when the application service tries to start. The Data Integration Service, Web Services Hub Service, and PowerCenter Integration Service are resilient application services that use a user name and password to authenticate with the Model Repository Service or PowerCenter Repository Service. If the Data Integration Service, Web Services Hub Service, or PowerCenter Integration Service continually try to restart after a failed login, the domain eventually locks the associated user account.
- •If an LDAP user account is locked out of the Informatica domain and the LDAP authentication server, the Informatica domain administrator can unlock the account in the Informatica domain. The LDAP administrator can unlock the user account in the LDAP server.
- •If you enable account lockout in the Informatica domain and in the LDAP server, configure the same threshold for login failures in the Informatica domain and in the LDAP server to avoid confusion about the account lockout policy.
- •If account lockout is not enabled in the Informatica domain but a user is locked out, verify that the user is not locked out in the LDAP server.