|Applies To||Access Manager Web Agent IIS V4.8 Agent|
RSA Access Manager 6.1
|Issue||How do you map Active Directory LdapErr codes to Access Manager authentication result codes?|
When authenticating against Active Directory using bind authentication (cleartrust.data.ldap.password.validate_with_connect :true) Access Manager returns a bad password response even if the account is locked or the password has expired.
sequence_number=333,2010-05-19 09:53:10:734 PDT,messageID=1002,user=user100,client_ip_address=192.168.10.129,client_port=2720,browser_ip_address=127.0.0.1,result_code=2,result_action=Authentication Failure,result_reason=Bad Password
|Cause||Access Manager by default does not match extended result codes returned by Active Directory and simply returns bad password for any bind authentication failure. In Access Manager 6.1 a new feature was introduced that allows you to map AD extended result codes to Access Manager result codes. To enable this feature you must configure the result codes in the ldap.conf file. In order to return the user to custom error pages as a result of these codes you must also define matching error pages in the webagent.conf file.|
To define extended result codes modify the cleartrust.data.ldap.errorMessages parameter in the ldap.conf file and create a definition for each result code you wish to map. The following is an example of parameters you may wish to use for Active Directory. See the definition of the parameter in the ldap.conf file for a full list of possible Access Manager result codes you may map to. Note that you may wish to map multiple Active Directory returns codes to the same Access Manager result code.
cleartrust.data.ldap.errorMessages= data 775 = ADMIN_LOCKOUT ; data 533 = INACTIVE_ACCOUNT ; data 701 = EXPIRED_ACCOUNT ; data 532 = PASSWORD_EXPIRED ; data 773 = PASSWORD_EXPIRED_FORCED ; data 773 = EXPIRED_PASSWORD_NEW_USER
In order to take action against these result codes you may wish to define custom error pages in your webagent.conf file to direct users to custom pages for these errors.
Warning. Exposing extended result codes allows potential attackers to gather additional information about user accounts that may be used to perpetrate penetration attacks. You should only direct users to custom error pages where this is absolutely necessary as dictated by your business logic. It is more secure to obfuscate the results of authentication failures.
Note that Access Manager does a simple substring comparison match for text defined in cleartrust.data.ldap.errorMessages parameters to determine what result code is matched. When active directory returns a result it is typically in the format of a DSID return code with several parameters. In order to simplify matters it is typically only necessary to match a unique portion of the returned error message. For example Active Directory returns the following error message when a domain account is inactive:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 533, vece
The number after the word "data" (in this case 533) is a unique string representation of a hexadecimal number corresponding to the error code. Instead of defining the entire error result it is sufficient to define just the a unique substring of the error message as in the example.
Microsoft does not provide an exhaustive list of possible error codes, but the following site lists the more common ones.
525 user not found
Also see What is the priority of return codes generated by Active Directory Authentication failures.
|Legacy Article ID||a51037|