000022214 - How to determine which aspect of an RSA ClearTrust user's account or password is the first reason for refusing authentication

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022214
Applies ToRSA ClearTrust 5.5 Authorization Server (AServer)
IssueHow to determine which aspect of an RSA ClearTrust user's account or password is the first reason for refusing authentication
ResolutionThe order in which the various aspects of an RSA ClearTrust user's account and password are checked is as follows. The first invalidating condition to hold is returned to the Agent as the reason for refusing authentication; subsequent conditions that may hold are not communicated to the Agent:

1. Known user: The user must exist in the repository; if they do not exist, the response code is UNKNOWN_USER

2. Administrative Lockout: If the user account has been administratively locked, the response code is ADMIN_LOCKOUT

3. Bad password: If the user's password is incorrect, or the authenticating authority (e.g. the domain controller for NTLM authentication) returns a refusal to authenticate, the response code is one of BAD_PASSWORD, NTLM_AUTH_FAILED, or CUSTOM_AUTH_FAILED

4. Inactive Account: If the account is disabled, the response code is INACTIVE_ACCOUNT

5. Expired Account: If the account end date has been exceeded, the response code is EXPIRED_ACCOUNT

6. New User Password Expired: For new users with a 'must change password' flag set, the response code is PASSWORD_EXPIRED_NEW_USER

7. Expired Password: When the password is normally expired, the response code is PASSWORD_EXPIRED

8. Forced Expired Password: When the password has been forcibly expired, the response code is PASSWORD_EXPIRED_FORCED
Legacy Article IDa27433