BBID Login Error "Too Many Failed Sign-Ins" - locks users out of account, despite no one attempting many sign-ins

Mary Fernandez

Our school launched the BBID authentication (no SSO) over the summer and most users were able to convert without any issues. Now that we are back in session, users are now constantly being “locked out due to too many failed sign-in attempts.” This is happening to everyone, even when they are just signing in for the first time. (and verifying correct password)

Entire classrooms are now getting locked out with this error. When I chatted with support, I was told “All the students in school seems to be on the same IP address and once 10 users on the IP address enters the wrong password it is deemed as suspicious activity and then the ip address is blocked. This is what has happened here. We have unblocked the IP address.:”

The issues were not resolved, despite being told that Internal Resources has corrected it. Everyone is still getting locked out randomly with no way of getting back in. Seems ridiculous that our school of course has one static IP address, but with over 1,400 users at any given moment, we cannot be locked out every time 10 users enter a wrong password.

Is anyone else experiencing these issues??

Kirstin McDonald

Hi, @Mary Fernandez.

We are not experiencing a schoolwide issue, but we did have several parents get this error almost daily. The workaround was to disconnect BBID, delete any legacy username, then recreate the BBID.

If support is saying this has something to do with the IP address and too many people logging in, then we are all going to be in the deep end when our faculty and students return.

Keep us posted on your progress. Looking forward to hearing from other schools.

John Vogel

Hi @Mary Fernandez, When your school sends all outbound traffic through a single IP address, then all traffic is seen as coming from the same source similar to a bot that is nefariously attempting to access user accounts by trying multiple email/password combinations. To avoid this the best options to move forward are:

1. Establish an SSO connection with Blackbaud ID - There are many benefits here beyond avoiding the suspicious IP throttling you're experiencing. A primary benefit is reducing the number of accounts students need to remember access for and also providing your school with a centralized location to manage all user access at the Identity Provider. Does your school use Microsoft or Google today? Let me know and I'll send you a presentation on the SSO process for the appropriate vendor.
2. Update the school's network configuration to a broader range of IPs - This will help ensure users do not experience adverse impact due to what is perceived by our security protocols as suspicious activity.

.

Mary Fernandez

@John Vogel Hi John,

We were given those solution options, either SSO or have dynamic IP addresses. Our IT department says we absolutely cannot do the IP way and so we are looking at SSO with Microsoft Azure.

This morning was the first day back for all school, and the lockout was almost immediate. It is a huge problem as teachers could not take attendance, no one could access their portal, and even administrators could not get in. It is a liability for the school if we are unable to see a student emergency contact info or the nurse can't see medication conditions.

We finally sent out a schoolwide email asking everyone to stop trying to reset passwords. After several hours, I was finally able to log in - but probably because it was lunch and less users were trying.

When I contacted support, they are unable to tell me how long the lockdown is for (60 seconds? 60 minutes? 5 hours?). I requested an immediate release of the lock, and was told that there is no guarantee that once it is unlocked that the next 10 wrong attempts won't lock it again.

Still waiting to hear back on those answers, while we are trying to figure it all out.

Mary Fernandez

@Kirstin McDonald Hi Kirstin, it is interesting that your parents were getting that error message, since I am told that the lockdown happens due to everyone being on the same IP address. Since parents are doing it from their homes, we have not gotten any issues there.

I would recommend that if you still have time before school starts, definitely loop your IT folks on this because I am told that the IP issue will not change, so SSO will be the only way to go.

I put in calls to some other blackbaud schools in our area to see if they have run into any issues, but I haven't heard back. I would also be interested in hearing back from other schools.

Veronica Esclamado

@John Vogel
Johm,

Our school has a broad range of IP addresses and we still experience this problem. SSo will not work for us because only teachers and students have a TCA email. All our other users do not have a school email and will therefore not have access to set their login credentials.

Jessi Walters

@Veronica Esclamado Are there regular users of Education Management who spend a lot of time on-campus most days but are not on your email domain? I wanted to be sure you know that, typically, only faculty and students need to be on SSO. Parents (and others) usually log into Education Management off-campus using their own, non-SSO email and are much less likely to run into the IP address issue.

Veronica Esclamado

@Jessi Walters It's not a huge number but we do have individuals on campus who are not not on TCA domain that need access to the website.

Nancy Kierstead

@John Vogel We have two solid days of chaos, our first two days back to school, because of this issue. We were told to switch to BBID last year by July (the original switch date). We made the switch in April because of the July deadline, and never ran into this issue from April until yesterday. We did not have an IdP that could SSO, so we were told we could use BBID. Not one person said that an SSO or additional IP addresses were mandatory. It was “suggested” to use an SSO, but not mandatory. As others are saying, a range of IP addresses is not something our IT department wants to do. We have had 800 people unable to access our solutions for two straight days. Eventually support unblocks it (about 3 hours after it starts). Some can get in after that and some cannot. Meanwhile, the error message it gives them is to reset their password. That doesn't work. We don't think the password resets. When support unblocks it and the student/teacher try to log in, they now have to figure out if they are supposed to use their new password or their old password. Did it reset? Looks like no. They don't know that, so they try the new one. Now we have load of people trying incorrect passwords they thought they reset the but it did not actually reset. The whole problem happens over again and we are back to square one and we get blocked again.

It's just unacceptable. If we had known at that time that come August we would no longer be able to log in to our solutions, we would have looked into our IdP situation and figured out a way forward. Blackbaud asked us to switch to BBID, and now is telling us we should not be using BBID but instead use our own identity provider. It's frustrating to say the least.

Veronica Esclamado

@Nancy Kierstead Yes, this is exactly our experience as well. Although technically SSO is not mandatoy, from a users' standpoint it is since it is the only solution BB offers. We went through our conversion in April and had this experience and were told that BB would come up with a solution. Then heard nothing again until we experienced the same thing but at a more intense level this August for a week. Knowing what we went through last April, someone from BB should have reached back out to us before August to tell us that SSO was our only option. Very poor follow up.

Nancy Kierstead

@Mary Fernandez We are in the middle of this right now. It's chaos.

Mary Fernandez

@Nancy Kierstead I am so sorry to hear that you are going through this.. we went almost 10 days of chaos, frustration and everything in between…. it truly was not the way to begin the school year. We finally went SSO with Microsoft Azure, something that we could have done IF - to your point in another post - we had been told that SSO is truly not an option but the ONLY way forward. We are a Microsoft Showcase school and this certainly could have been avoided if we had not been led to believe that SSO was “optional” in any way.

Once we flipped the switch on SSO, it was like instant magic - not a single login issue since then.. but I share the sentiment by you and Veronica that this transition to SSO should not even be considered optional. In all my conversations with support and elevated/escalated support, we never had another option but to go SSO…

I hope your school is able to move quickly into SSO so everyone can log in. There are important implications when teachers and staff cannot log in to access emergency contacts, cannot access rosters (kids were completely lost because they couldn't see their schedules), or grades and assignments.

Nancy Kierstead

@Veronica Esclamado
You are saying that having multiple IP addresses does not solve the problem. Support should not be giving us this solution if it doesn't work. Any response from blackbaud on this?

Veronica Esclamado

@Nancy Kierstead The only response was that we should implement SSO.

Brian LeBlanc

@Jessi Walters @John Vogel, this is exactly why there was such an outcry months ago over having a failsafe back door into the system.

We were told that BBID would just work and the concerns were much ado about nothing. Well…here we are. Please figure out a way to fix this, and communicate the fix to all parties. Thanks.