OutSystems user is set as Inactive if its AD user is locked out

OutSystems user is set as Inactive if its AD user is locked out

  

Hi everyone,

I faced an issue of having some "Invalid Login" error messages and when looking for the root cause of this issue I found something which imho could be improved.

Going straight to the point, there is one Timer on Users app that runs daily at 4:00 am called "SynchronizeDomainUsers" that in it's logic calls an action/method from "Authentication" extension called "ActiveDirectory_GetAccountDetails":


The problem, as I see it, is that on that method we have:

So, I found that there were users being set as Inactive on OutSystems Platform by that timer, which runs from "Users" app because their account happened to be locked out when the timer was running.

I see at least 3 things here:

  1. After the User account is set as Inactive on OutSystems, the user simply gets an "Invalid Login" message and the same happens on the Platform Logs, although its Active Directory account is no longer locked out - there is no hint anywhere that root cause is the user being Inactive.
  2. Why is this check IsAccountLockedOut() done on that timer? If the AD user is locked out should be checked when he tries to log in...
  3. Anyway, why not having that option "Check User Is Locked Out" as a Site Property?

By the way, this happens on every environment, from Dev to Prod.


Thanks,

Tiago

Hi Tiago

I cloned a users espace and took a look at the SynchronizeActiveDirectoryUser action. It checks a site property called SyncExternalAuthenticationUsersActiveStatus before it set's the is_active flag. 

If set to false, users will not be set as inactive when they are inactive in the external authentication system.
It's set to true by default.

However I cannot find any site properties for the published Users espace. Do you have any site properties for the Users espace in your environment?

Fabian

Hi Fabian,

I will set that site property (SyncExternalAuthenticationUsersActiveStatus) to False, to avoid the assign on that If. However, I don't see why having that check of "IsAccountLockedOut" as mandatory - it should be available on a Site Property setting. Active and LockedOut are different things...

Regarding the site properties, you can edit them from the Tenant Users config.



Cheers,

Tiago

Hi Tiago

I agree with you this check should not be mandatory by default.
Thank you for letting me know where I can find those site properties. I didn't know about the Tenant Site Properties.

Fabian