Summary
A Versa Director user moves to LOCKED when consecutive failed logins reach the configured max login fail count (default range 3-10). The lockout is automatic and server-side, and is recorded in the user_tracking table that backs the Track > Users > Locked Users view. A lock by itself is not a security incident; it means the credential supplied for that username failed authentication N times.
Applies to: All Directors.
What you will observe
The Locked Users API returns an entry like this:
GET https://<director>/versa/ncs-services/nextgen/track/users/lockedusers?offset=0&limit=25
{
"userName": "testuser1",
"accountStatus": "LOCKED",
"loginFailCount": 3,
"lockedTime": "2026-06-16 21:09:57.643",
"remoteAddress": "172.30.59.59"
}Director logs show three failed attempts from the same source IP, then the lock:
| Time | Event |
|---|---|
| Attempt 1 | authenticate ... isValid false Reason noauth. User row created, loginFailCount=1. Syslog: Login Failed, Invalid Username or Password. |
| Attempt 2 | isValid false. loginFailCount=2. |
| Attempt 3 | isValid false. Locking user testuser1 as exceeded maximum attempts. Status LOCKED, lockedTime stamped. |
| Attempt 4 | Rejected before password check: User Account is locked so not processing the user testuser1. Syslog: testuser1 is Locked. |
Reason noauth with user=null means the username/password pair did not authenticate (wrong password, wrong username, or no such valid login). Each failure still increments the counter for that username.
How the lockout works
On every failed login the counter increments: loginFailCount = previousCount + 1. When loginFailCount >= maxLoginFailCount, the account is set to LOCKED and lockedTime is stamped.
While locked, each new attempt is rejected before the password is checked. On each attempt Director compares now - lockedTime against defaultUnlockTime. Once the lock has aged past that window it auto-unlocks (status back to ACTIVE, fail count reset to 0). No admin action and no background job is required; the auto-unlock happens lazily on the next login attempt for that user.
On a successful login, the fail count is reset to 0 and the account is ACTIVE.
Key point: the failure counter does NOT decay over time
This is the usual reason a customer sees a user locked frequently. loginFailCount only returns to 0 on (1) a successful login, or (2) an unlock (manual admin unlock, or automatic after defaultUnlockTime elapses).
There is no sliding time window on the failure counter. Failures accumulate across sessions, browsers, scripts and devices until a success or an unlock clears them. So three stray failures spread over a day (a stale saved password, a background API client, a second open browser tab) reach the threshold just as surely as three rapid ones.
Configuration
Set under Administration > User Management > Global Settings (or via the user-settings API). Validated bounds:
| Setting | Allowed range | Effect |
|---|---|---|
| Max login fail count | 3 - 10 | Failed attempts before lock. Lower = locks sooner. |
| Default unlock time | 61 - 3600 sec | How long the lock holds before auto-unlock. |
Raising max login fail count (up to 10) and keeping default unlock time short reduces nuisance locks while preserving brute-force protection.
Why a specific user gets locked repeatedly (checklist)
- Stale cached credential. A saved password in a browser, REST/API client, Postman, or automation still using the old password. Each silent retry adds a failure. This is the most common cause, because the counter never decays.
- Automation or monitoring using that account. Scripts, CI jobs, or another integration polling with bad or expired credentials. Check
remoteAddressin the Locked Users entry and trace what runs on that host. - Concurrent sessions or multiple tabs re-submitting an expired session or wrong password.
- Password recently changed but not updated everywhere it is stored.
- Username typos or an invalid login (
Reason noauth,user=null) repeatedly hitting the same tracked record. - Account in IN_ACTIVE state is also treated as locked; that is a separate lifecycle state, not failed-login lockout.
How to investigate
- Open Track > Users > Locked Users and read
loginFailCount,lockedTime, andremoteAddress. - Correlate by source IP. Grep the Director logs for the username and pull the
remoteAddresson each Login Failed line. Identical IP across locks points to a single misconfigured client. Logs:/var/log/vnms/spring-boot/vnms-spring-boot.logand/var/log/syslog. Search forisValid false,Locking user ... as exceeded maximum attempts, andUser Account is locked so not processing.
Remediation
- Unlock now: Track > Users > Locked Users > Unlock. Resets the counter to 0.
- Wait it out: the lock auto-clears after
defaultUnlockTimeon the next attempt. - Fix the root client: update the stored/automation password at the source identified by
remoteAddress. Without this, the user re-locks as soon as the counter refills. - Tune policy if locks are disruptive: raise
maxLoginFailCountand/or shortendefaultUnlockTime.
Short answer for the end-users:
The user is not being locked arbitrarily. It is locked because that username accumulated enough failed authentications (the node's max-login-fail-count) with no successful login in between. Because Director does not time-decay the failure counter, even a handful of failures from a stale saved password or an automated client will keep relocking the same user until that client's credential is corrected or the account is unlocked.