STEP ONE: Does the user really have an account?
While logged in as an administrator, select Site>Users>All Users.
At this point, try to locate the user by typing their name or email address into the search bar. A list of possible results will appear below the search bar. (Tip: try typing just 3 or 4 letters to see the best range of search results.) Clicking on a result will open the user's profile.
If you cannot locate the user, they may not have an account created in the system at this time. If you suspect that the user does not have an account created in the system, please ask the user to try signing up (local or whitelist authentication) or signing in (LDAP or SSO authentication) again. If they are still unable to access the system and you still cannot find an account under their name or email address in the system, please contact Customer Support.
STEP TWO: If the user has created an account, have they confirmed it?
Certain kinds of users and certain methods of authentication require users to click on an invitation URL sent to them via an invitation or confirmation email. (Note to SSO and LDAP systems: Your reviewers and references still utilize confirmation emails.) It's possible that the user has not checked their email, or that a particularly strong spam filter has directed the invitation email away from the user's inbox.
- Ask the user if they have received an invitation or confirmation email (ask them to check their spam folder or their trash folder.)
- If they have not received an invitation email, or if they have read the email and a) did not click on the link or b) clicked on the link and it did not work,
Then you should check and see if the system has an unused invitation or confirmation URL prepared for the user. To do so,
1. Select Site>Users>All Users. Search for the user (see STEP ONE above) and open their profile by clicking on their name.
2. If the user has generated an invitation URL but has not yet clicked on it, you will see the URL appear on the "Edit" tab.
3. At this point you should copy the URL and send it to the user (through your email account.) Once the user clicks on the invitation URL, they should be able to access the system.
STEP THREE: Has the user created a password previously, accessed the system recently or attempted to sign in repeatedly?
Some users may have forgotten that they have previously logged into the system; others may have simply forgotten their password. If you have not yet located the cause of the user's lock-out, the next step should be to determine whether or not the user has previously set a password or if they have accessed the system in the past. While in the user's profile, click on the "System" tab. From here you can view:
- Sign In Count: Useful to determine if the user has signed in before (any number other than 0.)
- Last Sign In Date: Useful to determine if the user has signed in before (if not, this will be blank.)
- Failed Attempts: After 10 failed attempts to log in, the user will be locked out for one hour.
- Locked Date: If the user has intentionally been locked out of the system (probably due to failed attempts), you will see a date here. After 10 failed login attempts, a user will be locked out. Locked accounts will be re-opened 1 hour after the last failed attempt to sign in.
- Created Date: You can see the day the account was first established.
- Password Set? If this says "No" the user has not created a password yet. If this says "Yes" the user has previously created a password (and has most likely forgotten it.)
- Roles: This notes what portals this account can access. If you do not see the appropriate roles listed, the user may have an additional account in the system.
If the "Password Set?" says Yes, then the user does have a password set in the system. In this case, you should ask the user to click on the "Trouble signing in?" link to reset their password. If the user does not have a password set and
a) they cannot follow the steps to reset their password,
b) you believe they have logged into the system in the past, or
c) you believe the user should have a password already set for some other reason, please contact Customer Support.
Note: Students and System Administrators accessing systems with Single-Sign On or LDAP authentication (typing in your campus username and password) will never have a password set. Reviewers and References accessing systems with Single Sign On or LDAP will still need to set passwords to sign in.
STEP FOUR: Has the user successfully reset their password?
If you are assisting a user in resetting their password; or if a user informed you that they never received an email to reset their password; or if a user informs you that they have attempted to reset their password and were otherwise unsuccessful, then you can assist the user through your Administrator access to the system.
1. While viewing the user's profile, click "Edit".
2. If you see "Reset Password Url" and a web address, then the user has successfully requested to reset their password but has not yet clicked on this link to actually select a new password. If you see this URL, you should copy it and email it to the user (through your email account.)
3. If you do not see a Reset Password Url on this page, then the user has not successfully requested to reset their password. You should ask the user to try again, or alternatively you may sign out and visit the Trouble Signing In? page on their behalf. (Follow the instructions at the end of STEP THREE.)
If you are still unable to determine why the user cannot access the system, you should contact Customer Support. The underlying cause could be associated with your authentication method, the status of your system imports, or additional factors not visible to system Administrators.
Frequently Asked Questions
A few things to keep in mind when troubleshooting user lockout issues:
1.) When a user is sent an invitation email confirmation, how long is the invitation link valid?
Invitation links do not expire. The first time an invitation link is used, the user will be taken to a page that will instruct them to set up their password, any subsequent use and they will be taken directly to their sign in page.
2.) Does the system log users out after a period of time? If so, when?
Users are logged out after 30 minutes of inactivity. The user is warned after 25 minutes of inactivity with a popup message stating that the user will be logged out in 5 minutes if no action is taken.
3.) What does it mean if a user's account is locked?
Users are locked out after 10 failed login attempts (OR if a Whitelist Authentication client, the student was not in the last import file). This is done for security purposes to prevent brute force attacks whereby an automated routine repeatedly attempts to login to an account trying different passwords. By limiting the failed attempts to 10 every hour, it dramatically slows down a hacker's ability to compromise a user's account via brute force.
This only applies to systems using Local or Whitelist authentication. If a system uses Single Sign-On or LDAP authentication, this only applies to locally authenticated users (typically references and reviewers.)
4.) If a user's account is locked, how does it become unlocked?
If a user has her account locked due to 10 or more failed log in attempts, the account will remained locked for 60 minutes after the 10th failed attempt. There is no ability to unlock it. After 60 minutes, the user can then log in again. (If a Whitelist Authentication client, research needs to be done to determine WHY the student's record was not imported. The only way to unlock the account is to remedy the issue of why the student's row didn't import and then reimport a file with ALL student records).
This only applies to systems using Local or Whitelist authentication. In systems using Single Sign-On or LDAP authentication, this only applies to locally authenticated users (typically references and reviewers.)
5.) How long are password reset links valid?
Password reset links are valid for 6 hours. After 6 hours, the user will need to request to reset her password again to generate a new link. If they attempt to use the old link they will receive a message that states "Reset password token is invalid." You can view the Email Log for that user to see when the link was sent.