MattDeChellis

How to notify the user,  when the user account is locked in AD?

Discussion created by MattDeChellis Employee on Aug 23, 2011
Latest reply on Jun 19, 2013 by JPerlmutter

SiteMinder returns reason codes for failed authentication. If you are using the AD namespace when you define the SiteMinder directory object, and you have AD Enhanced mode enabled at the Policy server, then The Policy Server shoul dbe returning a reason code that indicates that the user has been locked out. Possible codes for a locked out user could be:

7 - User Disabled
24 - Excessive Failed Login Attempts
25 - Account inactivity

If the SiteMinder HTML Forms authentication scheme is used, Javascript in the form could trigger on the reason code to display appropriate messages and even enact different work flows. See the pwservices.fcc file for an out-of-the-box-example of how to work with SiteMinder authentication reason codes.

As an alternative, it may be possible to make use of SiteMinder on-auth-denied redirect responses to send a user to a page that could display an appropriate message. The SiteMinder reason code should get sent as a Query parameter on the on-denied-redirect URL.

Outcomes