“Authentication Failed” error message is very generic and doesn’t convey any kind of useful information to the end user. User will think that he mistyped the password and attempts one more time to get authenticated. With same error message again, user gets frustrated. Maybe user will try one more time and yes, this time his account gets locked because three login attempts failed.
When user contacts the administrator and informs this error message, administrator also do not get any useful info out of it. To understand the root cause of the problem, admin has to debug multiple entities like authentication server logs, user account details, NetScaler logs, any network issues etc.
This is the same situation when user is attempting to change his password. A simple generic error message like “Password reset failed” is not of much use. If user is presented with a little bit more useful error messages like “Password expired” or “Complexity requirements not met”, the reaction and next steps of the users and administrators will be much more in the right direction.
The NetScaler AAA module has added support for a new parameter “enableEnhancedAuthFeedback” which enables an admin to provide more granular and meaningful error feedback to the end user during authentication failure. Once admin enables this parameter at AAA global level, users will start receiving the exact reason why the authentication step is failing. This makes it very easy and fast to narrow down the exact problem and take corrective actions. This parameter is disabled by default because showing the exact reason for authentication failure is considered a security hole by some organizations. Hence, it is left to the administrator on the behaviour.
This parameter is applicable for both AAA-TM and NetScaler Gateway features.
> set aaa param -enableEnhancedAuthFeedback
The error codes which are supported are given below.
|4001||Invalid credentials. Catch-all error from previous versions.|
|4002||Login not permitted. Catch-all error from previous versions.|
|4005||Socket error talking to authentication server|
|4006||Bad (format) user passed to nsaaad|
|4007||Bad (format) password passed to nsaaad|
|4008||Password mismatch (when entering new password)|
|4009||User not found|
|4010||Restricted login hours|
|4013||No dial-in permission (RADIUS specific)|
|4014||Error changing password|