Symantec Access Management

Expand all | Collapse all

is there a way to customize basic authetication to give 401  error after single authetication failure

  • 1.  is there a way to customize basic authetication to give 401  error after single authetication failure

    Posted Feb 25, 2016 08:20 AM

    Hi,

     

    Usually in case of basic authentication pop-up comes thrice(resource protected vis basic authentication in siteminder) in case of  authentication failure(invalid username/password) before throwing 401 error.

     

    Is there a way to configure same after first invalid authentication, i.e, user gets 401 post single authentication failure.

     

    We know there is variable called SMRETRIES in forms authentication(in login.fcc) for controlling same. Do we have similar control at siteminder end to configure in basic authentication case ?

     

     

    Thanks,

    soumya



  • 2.  Re: is there a way to customize basic authetication to give 401  error after single authetication failure

    Posted Feb 29, 2016 05:41 AM

    Hi Soumya,

     

    I looked into this a bit and couldn't find a way to customize the basic auth.

     

    Cheers,

    Ujwol



  • 3.  Re: is there a way to customize basic authetication to give 401  error after single authetication failure

    Broadcom Employee
    Posted May 03, 2016 03:40 PM

    You could configure 2 additional Policies:

     

    Policy 1: OnAuthReject rule tied to an 'OnRejectRedirect' Response.  Configure for ALL USERS

    Policy 2: OnAuthAttempt rule tied to an OnRejectRedirect' Response.  Configure for ALL USERS

     

    The 'OnRejectRedirect' Response would be the same for both Policies.  It should redirect to a page that reads "User Name or Password Incorrect".

     

    OnAuthReject = Occurs if the authentication failed for a user bound to a policy (bad password).

    OnAuthAttempt = Occurs if the user is rejected because the user cant be found (bad user name).

     

    If either of these Rules are triggered the redirect will send the user to the page indicating the Authentication failed due to  Invalid UserName or Password.  This should allow you to achieve your goal.  I would actually expect the default before to keep prompting the user to authenticate if Auth failed due to either invalid user name or password by default.  I wouldn't expect to get an HTTPO 401 error at at all.