Specialized Administration > Configuring Your Windchill Environment > Configuring Password Management Options > User Password Management Options > Deciding on a User Lockout Policy
  
Deciding on a User Lockout Policy
Your site user lockout policy determines how many login attempts can be made before a user is locked out of Windchill and how long the user is locked out. Windchill does not manage user login actions. This policy is defined in your LDAP directory server and enforced by that directory server. For example, if you configure single sign-on (SSO) for Windchill and redirect user authentication to an identity provider in your SSO federation, you will need to set the user lockout policy in the federated identity provider.
By default, the Windchill Directory Server defines properties that set defaults for a lockout failure count and lockout duration. If the defaults are used, end users can see the following behaviors:
If a user makes five contiguous unsuccessful attempts to log in, the account associated with the user name that was used is locked.
If an account is locked, the lock remains in effect for 15 minutes. After 15 minutes, the account is automatically unlocked; no administrative action is required.
If your site is using the PTC HTTP Server web server, users can experience a slightly different lockout scenario. This is because PTC HTTP Server caches successful login credentials for a predetermined length of time. This login cache comes into play in the following scenario:
1. Assume a user has logged in successfully and then closes the browser.
2. Within the time in which the successful login is cached, the user reopens the browser and attempts to login but is unsuccessful five consecutive times.
3. On the sixth login try, the user enters the correct credentials to log in and the login is successful even though the number of attempts was greater than five.
The user’s login is successful on the sixth try because the user credentials entered matched the credentials that are cached. This scenario only works because the correct credentials were entered while the successful login credentials were cached. If the user had reopened the browser after the PTC HTTP Server cache was cleared, then the user account would have been locked after the fifth unsuccessful login attempt.
You can change the defaults that are set for lockout failure count and lockout duration by modifying Windchill Directory Server default password policy. For information about the properties used to set lockout and other password policy details, see Setting Windchill Directory Server Password Policies.