Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their usernames and passwords and fail to sign in successfully.
Security store type
The lockout policy enforced by ArcGIS Server depends on the type of security store you're using.
ArcGIS Server built-in user and role store
The ArcGIS Server built-in security store locks an account after five consecutive failed login attempts within a 15-minute period. The lockout lasts 15 minutes. This policy applies to all users in the store, including the primary site administrator account. This policy cannot be modified or replaced.
Other user and role stores
When you choose a different user store, such as Windows Active Directory or a custom store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for these store types. Consult the documentation specific to these user and role store types to learn how to change the account lockout policy.
Monitoring failed login attempts
You can monitor failed login attempts by viewing the server logs in Manager. Any failed attempts before the five-attempt limit result in a warning-level message stating that the user failed to log in because of an invalid username or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked. Monitoring the server logs for failed login attempts can help you understand if there is a potential password attack on your system.
For more information, see Work with server logs.