SiteMinder will make the SmAuthReason on the base of the value of userAccountControl. This means, this Authentication Scheme is based on the account state and not the password state.
So, the all possible values of the Disable Flag go like this:
smdisabledflag=0
smdisabledflag=1
smdisabledflag=10
smdisabledflag=16777216
smdisabledflag=16777217
smdisabledflag=16777218
smdisabledflag=16777220
smdisabledflag=2
smdisabledflag=4
smdisabledflag=6
smdisabledflag=8
smdisabledflag=9
which means:
public static final int DMSUSER_DISABLED_ADMINDISABLED 1
public static final int DMSUSER_DISABLED_DISABLEDMASK 16777215
public static final int DMSUSER_DISABLED_ENABLED 0
public static final int DMSUSER_DISABLED_INACTIVITY 4
public static final int DMSUSER_DISABLED_MAXLOGINFAIL 2
public static final int DMSUSER_DISABLED_PEERDISABLED 16
public static final int DMSUSER_DISABLED_PWEXPIRED 8
public static final int DMSUSER_DISABLED_PWMUSTCHANGE 16777216
The remaining reason codes are combinations of what you see from the chart above as:
3 = 1(DMSUSER_DISABLED_ADMINDISABLED) + 2
(DMSUSER_DISABLED_MAXLOGINFAIL)
5 = 4(DMSUSER_DISABLED_INACTIVITY) + 1
(DMSUSER_DISABLED_ADMINDISABLED)
6 = 4(DMSUSER_DISABLED_INACTIVITY) + 2(
DMSUSER_DISABLED_MAXLOGINFAIL )
7=4+2+1
9=8+1
16777217=16777216 + 1
16777218=16777216 + 2
16777220=16777216 + 4
16777221=16777216 + 4+ 1
16777222=16777216 + 4+ 2
So, the Disabled Flag attribute is just a 32-bit integer stored as part of each user's directory record. The Policy Server's directory access layer simply reads and writes the values from the directories. For user directories based on Active Directory, the directory access layer actually computes the Disabled Flag value from various AD status values. When the Policy Server sends a Disabled Flag value to the directory access layer for storage on AD, the reverse computations are made and the AD status values are modified accordingly.
So said, the Policy Server will map the Disable Flag to the SmAuthReason like this:
Reason Disabled flag SMAUTHREASON
Admin disabled 1 7
Inactivity 4 25
Max login failed 2 4
PwExpired 8 19
PwMustChange 16777216 20
[...]
The most important thing to consider is that if the reason "Admin disable" is set, then you will get SmAuthReason 7, as "Admin disable" is given precedence over any other type of reason.
Disabled flag with values as 1, 5, 7, 9, 11, 13, 15 etc will have SMAuthreason as 7 as all of these will be having '1' (disabled due to admin) as one of reasons.
That is why the return codes 532 533 701 you may get from Active Directory for example is not followed browsing LDAP are not corresponding to the SmAuthReason. SiteMinder rely on the Disable Flag value and then, if the SmAuthReason is set to 7, there are big chance that the bit 1 is set to all users Disable Flag values.
Further, SiteMinder treats the "Disabled Flag" integer value as a collection of 32 indicator bits; the low-order 24 bits are reserved as user account disabled bits, and the high-order 8 bits are reserved as user-specific status bits.