Layer7 Access Management

Expand all | Collapse all

Detecting Active Directory Password Expiration

  • 1.  Detecting Active Directory Password Expiration

    Posted 08-23-2013 01:49 PM
    All,
    Does anyone out there know how to get siteminder to read when a users password has expired? Is this best done with SMWALKER and if so does anyone know or seen any best practices around this issue.

    B


  • 2.  RE: Detecting Active Directory Password Expiration

    Posted 08-23-2013 02:30 PM
    You should be able to determine that based on the SMAUTHRESON Code. Take a look this list of smauthreason code.
    If the SMReason_PwExpired =19 have some logic to handle the change password process within your code.

    Sm_Api_Reason_None = 0
    Sm_Api_Reason_PwMustChange = 1
    Sm_Api_Reason_InvalidSession = 2
    Sm_Api_Reason_RevokedSession = 3
    Sm_Api_Reason_ExpiredSession = 4
    Sm_Api_Reason_AuthLevelTooLow = 5
    Sm_Api_Reason_UnknownUser = 6
    Sm_Api_Reason_UserDisabled = 7
    Sm_Api_Reason_InvalidSessionId = 8
    Sm_Api_Reason_InvalidSessionIp = 9
    Sm_Api_Reason_CertificateRevoked = 10
    Sm_Api_Reason_CRLOutOfDate = 11
    Sm_Api_Reason_CertRevokedKeyCompromised = 12
    Sm_Api_Reason_CertRevokedAffiliationChange = 13
    Sm_Api_Reason_CertOnHold = 14
    Sm_Api_Reason_TokenCardChallenge = 15
    Sm_Api_Reason_ImpersonatedUserNotInDir = 16
    Sm_Api_Reason_Anonymous = 17
    Sm_Api_Reason_PwWillExpire = 18
    Sm_Api_Reason_PwExpired = 19
    Sm_Api_Reason_ImmedPWChangeRequired = 20
    Sm_Api_Reason_PWChangeFailed = 21
    Sm_Api_Reason_BadPWChange = 22
    Sm_Api_Reason_PWChangeAccepted = 23
    Sm_Api_Reason_ExcessiveFailedLoginAttempts = 24
    Sm_Api_Reason_AccountInactivity = 25
    Sm_Api_Reason_NoRedirectConfigured = 26
    Sm_Api_Reason_ErrorMessageIsRedirect = 27
    Sm_Api_Reason_Next_Tokencode = 28
    Sm_Api_Reason_New_PIN_Select = 29
    Sm_Api_Reason_New_PIN_Sys_Tokencode = 30
    Sm_Api_Reason_New_User_PIN_Tokencode =
    31Sm_Api_Reason_New_PIN_Accepted = 32
    Sm_Api_Reason_Guest = 33
    Sm_Api_Reason_PWSelfChange = 34
    Sm_Api_Reason_ServerException = 35
    Sm_Api_Reason_UnknownScheme = 36
    Sm_Api_Reason_UnsupportedScheme = 37
    Sm_Api_Reason_Misconfigured = 38
    Sm_Api_Reason_BufferOverflow = 39


  • 3.  RE: Detecting Active Directory Password Expiration

    Posted 08-23-2013 03:32 PM
    Thanks very much for the quick reply! Should theses code be available to the smauthreason directive in the fcc login page and if so do you have a example of how to extract them.