Failed to connect to database Underlying DBMS error[ORD-28000: the account is locked No extended error.]

7871
12
08-06-2015 07:00 PM
TerryInniss
New Contributor II

The sde database user is continually getting locked out of the database and the caption heading is the error message. Once the DBA unlocks it we are able to connect but as soon as we try to create the map service we get an error and on inspection we find the sde user is locked out. All the research has suggested that a MXD file with an old sde password is trying to connect to the database and hence locking it out. We have disconnected all arcmap instance yet the account still is being locked out. DO ANYONE has a suggestion for this issue.

12 Replies
George_Thompson
Esri Frequent Contributor

Hi Terry,

Can you provide a little more information related to the RDBMS being used? It looks like you are using Oracle but want to verify.

Do you happen to have other map services registered with the SDE user that may be using the incorrect password?

I am going to link to other groups with may help get more responses.

GeodatabaseManaging DataEnterprise GIS

-George

--- George T.
TerryInniss
New Contributor II

Thanks for replying. I am using ArcGIS for desktop 10.3.1 on Windows with an Oracle database (11g). I did create a map service. What is strange is that the user start getting locked out before I changed the password for the database user. Do you have any suggestions.

0 Kudos
AsrujitSengupta
Regular Contributor III

By any chance, does any of the Map Services\MXDs contain reference to any data that doesn't exist anymore?

AsrujitSengupta
Regular Contributor III

After changing the password, resource the existing MXDs to point to the connection with the corrected password. Check if this helps!

TerryInniss
New Contributor II

Thanks for the suggestions, they were very useful. When I stopped the arcgis service, the sde user stops getting locked out. Therefore, I deduced that the map service was using the old password and when user try to access that service it locked out the user. However, I have to restart the arcgis service to overwrite the old map service. I am hoping that when I restart the arcgis service, that the sde user will not be locked out. Is there any other way to do this that would not have me contacting the DBA because the sde user is locked out?

AsrujitSengupta
Regular Contributor III

No, if the SDE user does get locked out, you'll have to contact the DBA to unlock it.

VinceAngelo
Esri Esteemed Contributor

The SDE user should not EVER be used to publish services. Best practice doesn't even call for publishing as the data owner (you should always create at least one owner account to own spatial data [in a newly created tablespace]) -- an additional user with the least possible access  (managed through roles) should be created exclusively for publishing. This will help prevent destruction of your geodatabase instance from a SQL injection attack.

KDeVogelaere
Occasional Contributor

Is there a defect open to -

A. Allow users to programmatically disable the automatic connection attempts to RDBMS in ArcMap so when you open an MXD file with a changed .sde password it doesn't lock the account

OR

B. Publish a POINTER to the .sde connection file instead of copying connection details into the MXD

Stricter security standards have been put in place for Oracle passwords at our company (expiry after 365-days and account lockout after 3-failed login attempts).

Best Regards,

KD

KDeVogelaere
Occasional Contributor

Does anyone know what the failed login attempt threshold is set for ArcMap?  Does ArcMap stop attempting to connect to a database say after 100 failed login attempts?

0 Kudos