Display same error message for both account lockout (SmAuthReason=24) and for invalid credentials (SmAuthReason=0)

Document ID : KB000051332
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Consistent behavior of Policy Server in terms of URL and Error messages when user logs in to a locked out account and user login with invalid credentials.

Due to security reasons customer wanted to have consistency in terms of URL and Error messages when user logs in to a locked out account and user login with invalid credentials. Currently when user logs in with locked out account as compared to login using invalid credentials Policy server behaves differently giving different error messages. This is basically due to the reason that policy server sends different SmAuthReason in both the scenarios. When user account is locked out due to excessive failed login attempts, policy server presents SmAuthReason 24 and user is displayed different message (along with the username) as compared to when smretries count is exhausted due to invalid credentials.

Solution:

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

Beginning with Siteminder Policy server version 6.0 SP6 (for 6.x) and R12-SP2-CR1 (for R12.x) -

A new functionality has been introduced according to which, SmAuthReason will be set to 0 in case of account lockout (currently it returns authreason 24 and displays different error message) so as to bring it in sync with case of invalid credentials (where PS returns SmAuthReason 0).

This will result in presenting the challenge to the user instead of current error message (specific to user account locked out case) - as happens in case of invalid credentials. And if smretries is set and whenever smretries count gets exhausted - user will be displayed incorrect credentials error message.

This will make behavior consistent in both the scenarios.

A new registry key =>
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\RechallengeDisabledUser

has been introduced which if set to '1' will invoke this new functionality. By default i.e. 0, existing functionality will work.