IdPAuthUserPassLoginPageMSADerror
The LDAP error code for failed login is 49. If you use Microsoft Active Directory for your authentication source you have the ability to parse additional information out of the error 49 code that is returned to the JAAS layer.
"Sub" Error Codes
Here are some of the more useful "sub" error codes that are returned by Active Directory. (someday I'll find the technet article again and link it)
| code | explanation |
|---|---|
| 525 | user not found |
| 52e | invalid credentials |
| 530 | not permitted to logon at this time |
| 531 | not permitted to logon at this workstation |
| 532 | password expired |
| 533 | account disabled |
| 701 | account expired |
| 773 | user must reset password |
| 775 | user account locked |
Make it useful
To begin, the jsp layer of the IdP is an easy place to trap different errors so you can display different text.
First field the error condition (much like the previous example). Next look for the codes you want to relay back to the UX environment.
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>
<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) {
Throwable myEx = (Throwable)request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
String myErrorString = "";
if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 775")){
log.info("LoginExceptionParser (775) ACCOUNT_LOCKED");
myErrorString = "Account Locked";
} else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 773")) {
log.info("LoginExceptionParser (773) PASSWORD_EXPIRED");
myErrorString = "Password Expired";
} else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 532")) {
log.info("LoginExceptionParser (532) PASSWORD_EXPIRED");
myErrorString = "Password Expired";
} else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 533")) {
log.info("LoginExceptionParser (533) DISABLED");
myErrorString = "Account Disabled";
} else {
log.info("LoginExceptionParser (???) INVALID_CREDENTIALS / OTHER");
myErrorString = "Invalid Username Or Password";
}
%>