diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
index 54451c01b666865d9fac7ccd334c29e2deb88919..6054bd436516648cae396515a6cc3acdff60f860 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
@@ -48,7 +48,7 @@ public class DBUserToUserROConverter implements Converter<DBUser, UserRO> {
         target.setLastTokenFailedLoginAttempt(source.getLastTokenFailedLoginAttempt());
         target.setTokenSuspendedUtil(getSuspensionUntilDate(source.getLastTokenFailedLoginAttempt(),
                 source.getSequentialTokenLoginFailureCount(),
-                configurationService.getAccessTokenLoginFailDelayInMilliSeconds(),
+                configurationService.getAccessTokenLoginSuspensionTimeInSeconds(),
                 configurationService.getAccessTokenLoginMaxAttempts()));
 
         target.setActive(source.isActive());
diff --git a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
index e5f05a6c456ec7bbeb77b2e52393993048a0fbfc..bc13a886c32428c532f11ead77adb4ffc6efbb70 100644
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
@@ -145,7 +145,7 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
 
         try {
             Optional<DBUser> oUsr = mUserDao.findUserByCertificateId(userToken, true);
-            if (!oUsr.isPresent()) {
+            if (!oUsr.isPresent() || !oUsr.get().isActive() ) {
                 LOG.securityWarn(SMPMessageCode.SEC_USER_NOT_EXISTS, userToken);
                 //https://www.owasp.org/index.php/Authentication_Cheat_Sheet
                 // Do not reveal the status of an existing account. Not to use UsernameNotFoundException
diff --git a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
index 77a5e8310cf27566415636d9cb53c9ac61c828d7..0594f2c6ebd4ce2839fcd3e7ebff0aef73843c7a 100644
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
@@ -91,7 +91,7 @@ public class SMPAuthenticationProviderForUI implements AuthenticationProvider {
         DBUser user;
         try {
             Optional<DBUser> oUsr = mUserDao.findUserByUsername(username);
-            if (!oUsr.isPresent()) {
+            if (!oUsr.isPresent() || !oUsr.get().isActive() ){
                 LOG.debug("User with username does not exists [{}], continue with next authentication provider");
                 LOG.securityWarn(SMPMessageCode.SEC_INVALID_PASSWORD, "Username does not exits", username);
                 delayResponse(startTime);
@@ -107,7 +107,6 @@ public class SMPAuthenticationProviderForUI implements AuthenticationProvider {
             LOG.securityWarn(SMPMessageCode.SEC_USER_NOT_AUTHENTICATED, username, ExceptionUtils.getRootCause(ex), ex);
             delayResponse(startTime);
             throw BAD_CREDENTIALS_EXCEPTION;
-
         }
 
         validateIfUserAccountIsSuspended(user, startTime);