“Authentication Failed” error message is very generic and doesn’t convey any kind of useful information to the end user. User will think that he mistyped the password and attempts one more time to get authenticated. With same error message again, user gets frustrated. Maybe user will try one more time and yes, this time his account gets locked because three login attempts failed.

When user contacts the administrator and informs this error message, administrator also do not get any useful info out of it. To understand the root cause of the problem, admin has to debug multiple entities like authentication server logs, user account details, NetScaler logs, any network issues etc.

This is the same situation when user is attempting to change his password. A simple generic error message like “Password reset failed” is not of much use. If user is presented with a little bit more useful error messages like “Password expired” or “Complexity requirements not met”, the reaction and next steps of the users and administrators will be much more in the right direction.

The NetScaler AAA module has added support for a new parameter “enableEnhancedAuthFeedback” which enables an admin to provide more granular and meaningful error feedback to the end user during authentication failure. Once admin enables this parameter at AAA global level, users will start receiving the exact reason why the authentication step is failing. This makes it very easy and fast to narrow down the exact problem and take corrective actions. This parameter is disabled by default because showing the exact reason for authentication failure is considered a security hole by some organizations. Hence, it is left to the administrator on the behaviour.

This parameter is applicable for both AAA-TM and NetScaler Gateway features.

CLI

> set aaa param -enableEnhancedAuthFeedback

NO

YES

>

GUI

The error codes which are supported are given below.

Error Code

Definition

4001 Invalid credentials. Catch-all error from previous versions.
4002 Login not permitted.  Catch-all error from previous versions.
4003 Server timeout
4004 System error
4005 Socket error talking to authentication server
4006 Bad (format) user passed to nsaaad
4007 Bad (format) password passed to nsaaad
4008 Password mismatch (when entering new password)
4009 User not found
4010 Restricted login hours
4011 Account disabled
4012 Password expired
4013 No dial-in permission (RADIUS specific)
4014 Error changing password
4015 Account locked