Configure the account disable notification response

WebSEAL returns a server response error page (acct_locked.html) that notifies the user of the penalty for reaching or exceeding the max-login-failures limit.

The late-lockout-notification stanza entry in the [server] stanza of the WebSEAL configuration file specifies whether this error page is returned when the user reaches the max-login-failures limit, or at the next login attempt after reaching the limit.

The action of account lockout or account disable does not remove the session cache entry of the user, but it does prevent future logins by that user until the account is unlocked.

• The default late-lockout-notification setting for new installations of WebSEAL is "no". Upon reaching the maximum value set by the max-login-failures policy, WebSEAL immediately sends the account disabled error page to the user. For example:

  [server]
  late-lockout-notification = no

The default setting for migrated installations of WebSEAL is "yes". Upon reaching the maximum value set by the max-login-failures policy, WebSEAL returns another login prompt to the user. WebSEAL does not send the account disabled error page to the user until the next login attempt. This setting represents the pre-version 6.0 behavior for the max-login-failures policy. For example:

[server]
late-lockout-notification = yes

If the disable-time-interval policy is set to a number of seconds, the error message indicates the account is temporarily locked out.

If the disable-time-interval policy is set to "disable", the error message indicates the account has been disabled and that an administrator is required to reset (unlock) the account.

Parent topic: Login failure policy ("three strikes" login policy)