Customer Accounts Disabled?

[kwikstand]

I recently noticed that for some reason many of my customer accounts are disabled. What would make this happen? is there a time limit of activity? Would it have something to do with an upgrade?

[jmestep]

I did an upgrade to R6 on a site and that kept happening. I was never able to figure out why and Able was never able to figure out why. I finally had to change the expiration on the admin passwords to 24 months. For some reason, that setting was triggering a routine to disable normal users. Please report a bug to Able and they will know there are two of us- I'm really not crazy since it is happening to someone else.

[kwikstand]

OK. How do I report a bug?

[jmestep]

You use the Feedback tab at the right of any of your admin pages. Be sure to select Report Issue radio button. Please be sure to give a detailed description including your version of Gold and what your password expiration month setting is. When I had the site I've mentioned set at one month, I could check the site after that month passed and users would be disabled. If I remember correctly it was tied in with last activity date being a month previous.

[kwikstand]

Actually, I just checked my Password Policies and I see there is a setting for "Inactivity Period". It was set for 6 months. I changed it to 24. I think that will take care of it.

I amusing GoldR8 (build 7345)

Thanks,

Scott

[kwikstand]

Nope. Now I see that setting is under "Merchant Policy". There is no such setting under "Customer Policy". I guess I will have to report it as a bug.

[jmestep]

Yes, the setting is under merchant policy, but it seems to affect customers.

[Katie]

I did an upgrade to R6 on a site and that kept happening. I was never able to figure out why and Able was never able to figure out why.

I found this issue which was reported for R6. We never could find the cause, but we added some code to make sure it wouldn't happen. This is the first time I've heard it reported for R8.

Scott -

Can you give us any information about the user that had a disabled account? Look for date when they first registered an account, or if they attempted to login to many times and had the account disabled that way. This is a very strange issue which we haven't been able to reproduce. There must be a reason, but we're going to need your help to find it.

Thanks

[kwikstand]

Many, many users have their accounts disabled, probably most of them. I can say that I went back to January 3 and found users accounts that were NOT disabled. I then found orders on Jan 4th that WERE disabled.

[NC Software]

I've seen this in 7.0.7 and I have the Merchant inactivity set to 24 months and have been battling this issue forever. Account disabled and the user cannot reset it, requires me to reactivate and then reset the password. I see this a lot when passwords are really out of date, i.e. > 1000 days and may be throwing an exception internally I would guess in reading data from a former AC version most likely.

[Katie]

Thanks Neal for your input. I was trying to get Scott to dig into a customer record and find something that could give us a clue why this is happening. If we know that the user account is old (from AC7 era), and that something triggers the account to disable in Gold, that certainly gets us looking in the right direction.

[NC Software]

In my case still on AC7, it's still the same data, but typically years old, so 7.x revisions mainly, not sure if this is AC5 data. As my mobile apps and desktop apps for that matter use a "NC Software" account for login it gets a lot of bad password hits in the event log so who knows. Once I move into R9 when available I'll be able to look at code more in depth if needed.

[Katie]

I wonder if it is AC5 data....

Scott, were you ever using AC5?

[kwikstand]

Yes. A long time ago.

[jmestep]

The site I had a problem with was an upgrade from Able 7, but I don't know if they were Able 5 before that.
We have another site that is an R6 upgrade from Able 7 which was upgraded from Able 5 and they have never reported a problem and they are the kind of merchant that would have reported it.

[Katie]

Scott,

Please provide the following info for one the the accounts that was disabled.

Registered Since:
Last Active:
Failed Logins:
Last Lockout:
What group(s) are they in.

Thanks
Katie

[kwikstand]

There are hundreds of them. I can't look them all up.

[Katie]

I asked for information on just one of the accounts.

[kwikstand]

Oops! I assumed you wanted to try to find a common thread in all of them.

Here are a couple of disabled ones:

Registered Since: 1/4/2014 9:16 AM
Last Active: 1/4/2014 9:19 AM
Failed Logins: 0
Last Lockout: -
What group(s) are they in: _Default_


Registered Since: 10/24/2010 10:53 PM
Last Active: 1/4/2014 3:54 AM
Failed Logins: 0
Last Lockout: -
What group(s) are they in: _Default_

Now here's one that is NOT disabled:

Registered Since: 8/7/2011 9:05 PM
Last Active: 6/11/2014 8:24 PM
Failed Logins: 1
Last Lockout: -
Group(s): _Default_ Change Group

I hope this helps,

Scott

[NC Software]

There goes that theory - not old data scenario. I sure hope AC finds and fixes this issue. Plaguing me for years!

[kwikstand]

I don't know about the "old data", but I am wondering if it has anything to do with upgrading. I only realized the problem recently and I am now having customers tell me about it. I upgraded to Gold last year and then in the fall I switched hosting servers. Then in July of this year, I upgraded to R8 build 7345. I don't know if this helps

[NC Software]

It's one thing that an account goes disabled, that's fine such as a failed login attempts exceeded lockout period. It's when an action by a user such as a reset password does NOT re-enable it is what AC really needs to be looking into.

I also, as stated before, do not believe the meta data associated with that screen is correct and AC should do a review and refresh of this information. It should show login history and successful/failed login attempts on this account, IP address, etc. i.e. an audit per user. It should show lockout periods, start, end, next login. By adding this more useful information we can all get a better history of what's going on here and why. When a user asks "why is my account locked out?" we can know exactly why and if someone else is trying to access their account if we know their IP vs. the IP of someone trying to access it.

It's not hard work but it is work, I suggest this work be done to this antiquated and barely useful area of admin.

[Katie]

I just wanted to update here to let you know that I have a bug report open so this issue can be investigated. Also, thank you Scott for providing some information about the user accounts.

There are a couple of things that I would like to point out:

- Judy reported this issue back in R6, and at the time, we were never able to reproduce the issue but we did add some additional code checks to make sure that a customer account could not be disabled (unless it was caused by too many login attempts)

- I searched through the forums and our bug reporting system and found that no one else has reported this issue. That said, it looks like Scott is the only one reporting the issue for Gold, and Neal is reporting the issue for AC7 but there is no evidence to show anyone else has this problem. This makes me wonder if there is some 3rd-party application that is involved.

At this point, we're just going to have to wait and see what the developers come up with. I have mentioned Judy's information about the inactivity setting for the admin accounts. We'll confirm one way or the other that this setting is not affecting the customer accounts as well.

[NC Software]

No third party here, per se, my web services use AC as an authentication system so I get TONS more auth requests than web site usage. This just means it gets a higher rate of fails too...

[jmestep]

When I had initially report the bug, the merchant said there was no third party routine going on. I spent time looking through Able source code also, but couldn't find anything obvious. I couldn't replicate it on a test site by changing customer's last activity date to older than it was and they didn't get disabled. I didn't have the site up and running all day so I might not have caught something obvious going on.