Symantec Access Management

 View Only
  • 1.  Policy-server smauthreason codes: ErrorMessageIsRedirect

    Posted Mar 26, 2018 06:15 PM

    Hi,

    During monitoring of logs, I am coming across this authreasoncode: ErrorMessageIsRedirect a lot of times. I am looking for some help to understand this code better.

    Also I have the list of siteminder authreason codes but don't have the exact details as to what that means and why it occurs though some of them are obvious by their names. Is there any documentation for the same?

    Thanks



  • 2.  Re: Policy-server smauthreason codes: ErrorMessageIsRedirect
    Best Answer

    Posted Mar 27, 2018 06:05 AM

    Hi PSoni2,

     

    SiteMinder returns reason codes for failed authentication

    The basic control flow relating to the Disabled Flag attribute during user authentication is:

    1. user is challenged for credentials (assume user ID and password)

    2. Disabled Flag attribute for the user is fetched/calculated

    3. If any of the disabled bits covered by Sm_Api_Disabled_DisabledMask are already set, authentication fails with the reason code Sm_Api_Reason_UserDisabled (7).

    4. If the user's credentials are not correct authentication fails and an appropriate reason code is returned depending on password policies, etc. Note that if the maximum number of allowed failed login attempts is exceeded here, the Sm_Api_Disabled_MaxLoginFail disabled bit in the user's Disabled Flag would also be set.

    5. If the credentials are correct, other statuses checked:

      1. if the account inactivity limit was exceeded, the Sm_Api_Disabled_Inactivity disabled bit is set and

        Sm_Api_Reason_AccountInactivity is returned.

      2. if the password change time limit was exceeded, the Sm_Api_Disabled_PWExpired disabled bit is set and

        Sm_Api_Reason_PwExpired is returned.

      3. if the password age is in the must change window, the Sm_Api_Disabled_PWMustChange status bit is set and

        depending on other settings (e.g. grace period) either Sm_Api_Reason_PwMustChange or
        Sm_Api_Reason_ImmedPWChangeRequired is returned.

    6. If the credentatials are correct and none of the above returns were triggered, then if the Sm_Api_Disabled_PWMustChange status bit is set, Sm_Api_Reason_ImmedPWChangeRequired is returned.

    Note that certain system errors during the above processing would cause Sm_Api_Reason_UnknownUser to be returned.

    It should be apparent from the above sequence that the Sm_Api_Disabled_PWMustChange status bit might be set during an authentication attempt and a subsequent attempt could cause a disabled bit to then be set as well. Also, the Admin UI can be used to set/clear the Sm_Api_Disabled_PWMustChange status bit for a user independently of the state of any of the other bits.

    When Directory Mapping is used then during user's authorization phase the Disabled Flag attribute for the user is refetched/recalculated. If any of the disabled bits covered by Sm_Api_Disabled_DisabledMask are set, authorization fails with the reason code Sm_Api_Reason_UserDisabled (7).

    Appendix : SmAuthReason:

             Sm_Api_Reason_None = 0          Sm_Api_Reason_PwMustChange = 1          Sm_Api_Reason_InvalidSession = 2          Sm_Api_Reason_RevokedSession = 3          Sm_Api_Reason_ExpiredSession = 4          Sm_Api_Reason_AuthLevelTooLow = 5          Sm_Api_Reason_UnknownUser = 6          Sm_Api_Reason_UserDisabled = 7          Sm_Api_Reason_InvalidSessionId = 8          Sm_Api_Reason_InvalidSessionIp = 9          Sm_Api_Reason_CertificateRevoked = 10          Sm_Api_Reason_CRLOutOfDate = 11          Sm_Api_Reason_CertRevokedKeyCompromised = 12          Sm_Api_Reason_CertRevokedAffiliationChange = 13          Sm_Api_Reason_CertOnHold = 14          Sm_Api_Reason_TokenCardChallenge = 15          Sm_Api_Reason_ImpersonatedUserNotInDir = 16          Sm_Api_Reason_Anonymous = 17          Sm_Api_Reason_PwWillExpire = 18          Sm_Api_Reason_PwExpired = 19          Sm_Api_Reason_ImmedPWChangeRequired = 20          Sm_Api_Reason_PWChangeFailed = 21          Sm_Api_Reason_BadPWChange = 22          Sm_Api_Reason_PWChangeAccepted = 23          Sm_Api_Reason_ExcessiveFailedLoginAttempts = 24          Sm_Api_Reason_AccountInactivity = 25          Sm_Api_Reason_NoRedirectConfigured = 26          Sm_Api_Reason_ErrorMessageIsRedirect = 27          Sm_Api_Reason_Next_Tokencode = 28          Sm_Api_Reason_New_PIN_Select = 29          Sm_Api_Reason_New_PIN_Sys_Tokencode = 30          Sm_Api_Reason_New_User_PIN_Tokencode = 31          Sm_Api_Reason_New_PIN_Accepted = 32          Sm_Api_Reason_Guest = 33          Sm_Api_Reason_PWSelfChange = 34          Sm_Api_Reason_ServerException = 35          Sm_Api_Reason_UnknownScheme = 36          Sm_Api_Reason_UnsupportedScheme = 37          Sm_Api_Reason_Misconfigured = 38          Sm_Api_Reason_BufferOverflow = 39          Sm_Api_Reason_SetPersistentSessionFailed = 40          Sm_Api_Reason_UserLogout = 41          Sm_Api_Reason_IdleSession = 42          Sm_Api_Reason_PolicyServerEnforcedTimeout = 43          Sm_Api_Reason_PolicyServerEnforcedIdle = 44          Sm_Api_Reason_ImpersonationNotAllowed = 45          Sm_Api_Reason_ImpersonationNotAllowedUser = 46          Sm_Api_Reason_FederationNoLoginID = 47          Sm_Api_Reason_FederationUserNotInDir = 48          Sm_Api_Reason_FederationInvalidMessage = 49          Sm_Api_Reason_FederationUnacceptedMessage  = 50          Sm_Api_Reason_ADnativeUserDisabled  = 51


    Thanks,
    Shankar


  • 3.  Re: Policy-server smauthreason codes: ErrorMessageIsRedirect

    Posted Apr 02, 2018 09:57 AM

    Thank you so much Shankar.