Look back at Password Reset AuthN Workflow in the Lockout Gate settings where the lockout duration, lockout threshold, and number of times until permanent lockout are set:
The settings specify that the workflow can fail 3 times. The user can answer one or all of the questions incorrectly, and have the workflow fail once (one failure count):
In our settings, if the workflow fails three times for the same account, the user is temporarily locked out of the SSPR for 15 minutes. This is a service lockout, and not an Active Directory lockout:
After 15 minutes, the user can attempt to answer their questions again. Failing the workflow two more times would equate to the permanent lockout threshold setting of three, and the user would receive the following error when attempting again:
At this point, the only way the user would be able to use SSPR again would be to have someone unlock the SSPR account in MIM. To do this, perform the following steps:
- Go to the MIM portal, and click on Administration, then on Unlock Users. Search for the user, and click on the name. Click on Password Reset AuthN Workflow that indicates SSPR permanent lockout, then click on the Unlock User icon:
- Click on the Unlock Users button, then on Submit. You should receive an Access denied response:
- To grant SSPR unlock permissions, we need to create two sets and three MPRs.
- The first new set that we will create will be named TFC SSPR Unlock Admins. For our example, we will add the administrator in this set, although in your environment, you could make the set criteria-based to refer to your IT helpdesk staff:
- Next, create a new set named Lockout gate registration resources that is criteria-based with gate registration resources that match Gate Type is D1230EF0-C5FA-4473-BE2A-30918B42EA2B:
- We now create a new request MPR named TFC: SSPR Unlock Admins can modify Lockout gate registration resources that specifies Requestors as TFC SSPR Unlock Admins, Operation as Read resource and Modify a single-valued attribute, and Permissions as Grants permission:
- In the Target Resource tab, the Target Resource Definition Before Request and the Target Resource Definition After Request settings should be the newly created Lockout gate registration resources set. The Resource Attributes setting should be All Attributes:
- Click on Submit to save the MPR.
- We will create another new request MPR named TFC: SSPR Unlock Admins can unlock Password Reset Users Set that specifies Requestors as TFC SSPR Unlock Admins, Operation as Read resource and Remove a value from a multivalued attribute, and Permissions as Grants permission:
- The Target Resource Definition Before Request and the Target Resource Definition After Request settings should be set to Password Reset Users Set with the specific attributes Lockout Gate Registration Data Ids and AuthN Workflow Locked Out selected:
- The final step is to create a request MPR named TFC: SSPR Unlock Admins can read Password Reset Users Set that specifies Requestors as TFC SSPR Unlock Admins, Operation as Read resource, and Permissions as Grants permission:
- In Target Resource Definition Before Request, set the value to Password Reset Users Set with Display Name selected as the specific attribute:
- You should now be able to go to Administration | Unlock Users, click on a locked out account, and unlock it, assuming that you logged into an account that is in the TFC SSPR Unlock Admins set.