User account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, he or she may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to log in successfully.
The lockout policy enforced by ArcGIS Server depends on which type of security store you are using:
ArcGIS Server built-in user and role store
ArcGIS Server's built-in security store locks out a user after more than five consecutive failed attempts in a one minute period. The lockout lasts for one minute. This policy applies to all users in the store, including the primary site administrator account. This policy cannot be modified or replaced.
Other user and role stores
When you choose a different user store such as Windows Active Directory or a custom store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for these store types. Consult the documentation specific to these user and role store types to learn how to change the account lockout policy.
Monitoring failed login attempts
You can monitor failed login attempts by viewing the server logs in Manager. Any failed attempts before the five-attempt limit result in a warning-level message stating that the user failed to log in because of an invalid username or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked out. Monitoring the server logs for failed login attempts can help you understand if there is a potential password attack on your system.
For more information, see Viewing, querying, and configuring server logs.