000015720 - How do you map Active Directory LdapErr codes to Access Manager authentication result codes?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000015720
Applies ToAccess Manager Web Agent IIS V4.8 Agent
RSA Access Manager 6.1
IssueHow do you map Active Directory LdapErr codes to Access Manager authentication result codes?

When authenticating against Active Directory using bind authentication (cleartrust.data.ldap.password.validate_with_connect :true) Access Manager returns a bad password response even if the account is locked or the password has expired.

sequence_number=333,2010-05-19 09:53:10:734 PDT,messageID=1002,user=user100,client_ip_address=192.168.10.129,client_port=2720,browser_ip_address=127.0.0.1,result_code=2,result_action=Authentication Failure,result_reason=Bad Password

CauseAccess Manager by default does not match extended result codes returned by Active Directory and simply returns bad password for any bind authentication failure.  In Access Manager 6.1 a new feature was introduced that allows you to map AD extended result codes to Access Manager result codes.  To enable this feature you must configure the result codes in the ldap.conf file.  In order to return the user to custom error pages as a result of these codes you must also define matching error pages in the webagent.conf file.
Resolution

To define extended result codes modify the cleartrust.data.ldap.errorMessages parameter in the ldap.conf file and create a definition for each result code you wish to map.  The following is an example of parameters you may wish to use for Active Directory.  See the definition of the parameter in the ldap.conf file for a full list of possible Access Manager result codes you may map to.  Note that you may wish to map multiple Active Directory returns codes to the same Access Manager result code. 

cleartrust.data.ldap.errorMessages= data 775 = ADMIN_LOCKOUT ; data 533 = INACTIVE_ACCOUNT ; data 701 = EXPIRED_ACCOUNT ; data 532 = PASSWORD_EXPIRED ; data 773 = PASSWORD_EXPIRED_FORCED ; data 773 = EXPIRED_PASSWORD_NEW_USER

In order to take action against these result codes you may wish to define custom error pages in your webagent.conf file to direct users to custom pages for these errors. 

cleartrust.agent.login_error_password_expired=
cleartrust.agent.login_error_password_expired_forced=
cleartrust.agent.login_error_password_expired_new_user=
cleartrust.agent.login_auth_inactive_account=
cleartrust.agent.login_auth_expired_account=
cleartrust.agent.login_auth_user_locked_out=

Warning. Exposing extended result codes allows potential attackers to gather additional information about user accounts that may be used to perpetrate penetration attacks.  You should only direct users to custom error pages where this is absolutely necessary as dictated by your business logic.  It is more secure to obfuscate the results of authentication failures.

Notes

Note that Access Manager does a simple substring comparison match for text defined in cleartrust.data.ldap.errorMessages parameters to determine what result code is matched.  When active directory returns a result it is typically in the format of a DSID return code with several parameters.  In order to simplify matters it is typically only necessary to match a unique portion of the returned error message.  For example Active Directory returns the following error message when a domain account is inactive:

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 533, vece

The number after the word "data" (in this case 533) is a unique string representation of a hexadecimal number corresponding to the error code.  Instead of defining the entire error result it is sufficient to define just the a unique substring of the error message as in the example. 

Microsoft does not provide an exhaustive list of possible error codes, but the following site lists the more common ones.

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

525 user not found 
52e invalid credentials 
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired 
533 account disabled 
701 account expired 
773 user must reset password 
775 user account locked


Also see What is the priority of return codes generated by Active Directory Authentication failures.
Legacy Article IDa51037

Attachments

    Outcomes