Tuesday Tip by Gene Howard, Principal Support Engineer, for 12-04-12:
In some cases you might have an application that you want to provide more feed back to the end user as to why their login is failing.
The default behavior of forms-based authentication is to redirect unauthenticated or unauthorized users back to the original login form.
In this case CA SiteMinder has provided some sample files called:
1) DynamicRetry.fcc
2) DynamicRetry.unauth
Which are installed by default with the web agent:
agent_home\samples\forms\
agent_home
Specifies the SiteMinder Web Agent installation path.
This sample pair of .fcc files changes the behavior of the redirect. The login page (DynamicRetry.fcc) is configured to send users to the unauthorized page (DynamicRetry.unauth) after one failed login attempt. The unauthorized page is a different HTML page than the login page. As a result, the unauthorized page can contain a message stating why the login failed. By default, the unauthorized page is configured with a message that informs users that they have entered invalid credentials for the resource they are attempting to access.
Note:
You can change this message by opening DynamicRetry.unauth and updating the text in between the h3 tags.
The DynamicRetry.fcc Sample file:
@username=%USER%
@smretries=1
<html>
<head><title>Sample Login Form</title><head>
<!-- Cross-frame scripting prevention: This code will prevent this page from being encapsulated within HTML frames. Remove, or comment out, this code if the functionality that is contained in this SiteMinder page is to be included within HTML frames. -->
<SCRIPT>
if (top !=self)
top.location=self.location;
</SCRIPT>
<body>
<h3> Please enter your login credentials</h3>
<form method=post><table>
<tr>
<td>User Name</td>
<td><input type=text name=USER></td>
</tr>
<tr>
<td>Password</td>
<td><input type=password name=PASSWORD></td>
</tr>
<input type=hidden name=target value="$$target$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=postpreservationdata value="$$postpreservationdata$$">
<tr><td><input type=submit></td></tr>
</table></form></body>
</html>
The DynamicRetry.unauth Sample file:
@username=%USER%
@smretries=1
<html>
<head><title>Sample Login Form</title><head>
<body>
<h3> Your credentials are not valid for $$target$$.</h3>
<h3> Please try again. </h3>
<form method=post><table>
<tr>
<td>User Name</td>
<td><input type=text name=USER></td>
</tr>
<tr>
<td>Password</td>
<td><input type=password name=PASSWORD></td>
</tr>
<input type=hidden name=target value="$$target$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=smtryno value=0>
<tr><td><input type=submit></td></tr>
</table></form>
<br>
<br>
If you have forgotten your password, mail us with your key phrase to obtain a reminder.
</body>
</html>
The smauthreason codes are below and can be used to help customize the messages between the /h3 tags:
Siteminder KB Article:
https://comm.support.ca.com/?legacyid=TEC450869
Title: SMAUTHREASON reason code document (Legacy_Onyx KB Id: 176074)
Description:
This document lists all the reason codes stored in SMAUTHREASON and the meaning for each code.
Solution:
From the API:
Sm_Api_Reason_None = 0
Sm_Api_Reason_PwMustChange = 1
Sm_Api_Reason_InvalidSession = 2
Sm_Api_Reason_RevokedSession = 3
Sm_Api_Reason_ExpiredSession = 4
Sm_Api_Reason_AuthLevelTooLow = 5
Sm_Api_Reason_UnknownUser = 6
Sm_Api_Reason_UserDisabled = 7
Sm_Api_Reason_InvalidSessionId = 8
Sm_Api_Reason_InvalidSessionIp = 9
Sm_Api_Reason_CertificateRevoked = 10
Sm_Api_Reason_CRLOutOfDate = 11
Sm_Api_Reason_CertRevokedKeyCompromised = 12
Sm_Api_Reason_CertRevokedAffiliationChange = 13
Sm_Api_Reason_CertOnHold = 14
Sm_Api_Reason_TokenCardChallenge = 15
Sm_Api_Reason_ImpersonatedUserNotInDir = 16
Sm_Api_Reason_Anonymous = 17
Sm_Api_Reason_PwWillExpire = 18
Sm_Api_Reason_PwExpired = 19
Sm_Api_Reason_ImmedPWChangeRequired = 20
Sm_Api_Reason_PWChangeFailed = 21
Sm_Api_Reason_BadPWChange = 22
Sm_Api_Reason_PWChangeAccepted = 23
Sm_Api_Reason_ExcessiveFailedLoginAttempts = 24
Sm_Api_Reason_AccountInactivity = 25
Sm_Api_Reason_NoRedirectConfigured = 26
Sm_Api_Reason_ErrorMessageIsRedirect = 27
Sm_Api_Reason_Next_Tokencode = 28
Sm_Api_Reason_New_PIN_Select = 29
Sm_Api_Reason_New_PIN_Sys_Tokencode = 30
Sm_Api_Reason_New_User_PIN_Tokencode = 31
Sm_Api_Reason_New_PIN_Accepted = 32
Sm_Api_Reason_Guest = 33
Sm_Api_Reason_PWSelfChange = 34
Sm_Api_Reason_ServerException = 35
Sm_Api_Reason_UnknownScheme = 36
Sm_Api_Reason_UnsupportedScheme = 37
Sm_Api_Reason_Misconfigured = 38
Sm_Api_Reason_BufferOverflow = 39
Sm_Api_Reason_SetPersistentSessionFailed = 40
Sm_Api_Reason_UserLogout = 41
Sm_Api_Reason_IdleSession = 42
Sm_Api_Reason_PolicyServerEnforcedTimeout = 43
Sm_Api_Reason_PolicyServerEnforcedIdle = 44
Sm_Api_Reason_ImpersonationNotAllowed = 45
Sm_Api_Reason_ImpersonationNotAllowedUser = 46
Sm_Api_Reason_FederationNoLoginID = 47
Sm_Api_Reason_FederationUserNotInDir = 48
Sm_Api_Reason_FederationInvalidMessage = 49
Sm_Api_Reason_FederationUnacceptedMessage = 50
Sm_Api_Reason_ADnativeUserDisabled = 51
Note:
This reason code is a duplicate of Sm_Api_Reason_UserDisabled.
It is used only in the case where the registry key "IgnoreDefaultRedirectOnADnativeDisabled" is set, and an AD native disabled reason is found.
Since this value duplicates Sm_Api_Reason_UserDisabled, whenever that value is checked, this should probably be checked as well.
This value is only returned by SnDsLdapProvider::AuthenticateUser.
Other related information:
Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › HTML Forms Authentication Schemes › HTML Forms Authentication Templates › Tell Users Why Login Failed