The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPAuthUserPassLoginPageMSADerror

Owned by kefo1760@colorado.edu
Last updated: May 21, 2013Version comment
2 min read

The LDAP error code for failed login is 49. If you use Microsoft Active Directory for your authentication source you have the ability to parse additional information out of the error 49 code that is returned to the JAAS layer. 

 

"Sub" Error Codes

Here are some of the more useful "sub" error codes that are returned by Active Directory. (someday I'll find the technet article again and link it)

codeexplanation
525user not found
52einvalid credentials
530not permitted to logon at this time
531not permitted to logon at this workstation
532password expired
533account disabled
701account expired
773user must reset password
775user account locked

 

Make it useful

To begin, the jsp layer of the IdP is an easy place to trap different errors so you can display different text.

 

First field the error condition (much like the previous example). Next look for the codes you want to relay back to the UX environment. 

<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>
 
<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) { 
 
       Throwable myEx = (Throwable)request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
 
       String myErrorString = "";
 
       if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 775")){
             log.info("LoginExceptionParser (775) ACCOUNT_LOCKED");
             myErrorString = "Account Locked";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 773")) {
             log.info("LoginExceptionParser (773) PASSWORD_EXPIRED");
             myErrorString = "Password Expired";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 532")) {
             log.info("LoginExceptionParser (532) PASSWORD_EXPIRED");
             myErrorString = "Password Expired";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 533")) {
             log.info("LoginExceptionParser (533) DISABLED");
             myErrorString = "Account Disabled";
       } else {
             log.info("LoginExceptionParser (???) INVALID_CREDENTIALS / OTHER");
             myErrorString = "Invalid Username Or Password";
       }
%>