Status codes
Status codes provide additional information if an operation failed, and help to identify common reasons for authentication failures.
| Status code | Status message | Description | Notes |
|---|---|---|---|
| 0 | No error | ||
| <all negative codes> | <Error Code> | The status codes from –1 downwards match to a corresponding error code. | |
| 1000 | STAT_INVCREDENTIALS | The credentials were invalid |
General-purpose error due to invalid user name or password, when a more specific status is unavailable. If the Use Generic Authentication Status Codes policy setting is active, this status is always returned, even if more specific status information is available. The following status codes will be mapped:
The real status code and message will still be visible in the audit and trace messages. |
| 1002 | STAT_GROUPCHK | The user failed the Windows Group Check |
The OneSpan Authentication Server rejected an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, reject others. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy. |
| 1004 | STAT_EXP_CHALLENGE | The challenge has expired | A response to challenge has been given, but the expiration time for the challenge has expired. The default expiration time is one minute, however this can be configured in the configuration file VASCO/Challenge-Cache/Max-Age setting (in seconds). |
| 1005 | STAT_PERMISSION | The user does not have permission to perform the specified action | General-purpose failure of an administration command when the administrator does not have sufficient privileges to carry out the command. |
| 1006 | STAT_LOCALAUTH | The authenticator authentication library is not responsible for this authentication | |
| 1007 | STAT_LOCKED | The user account is locked |
The user account is locked. This is normally due to consecutive login failures, as determined by the policy setting User Lock Threshold. Alternatively, the administrator can actively lock the account. To unlock the user account, an administrator has to uncheck the Locked check box on the user record. |
| 1008 | STAT_REPLAY | The one-time password has already been used |
This status code occurs specifically when an OTP is rejected because it has already been used. It may also occur when the OTP has not been used but is older than the most recently used OTP. This can sometimes happen when an authentication request is re-sent automatically. |
| 1009 | STAT_DISABLED | The user account is disabled | The user account is disabled. This may be because the administrator has actively disabled the account, or because the corresponding Windows user account has become disabled or expired. |
| 1010 | STAT_USER_UNKNOWN | No user account was found | An authentication request was rejected because no user account was found and the policy requires local authentication. |
| 1011 | STAT_LOCAL_PASSWORD_MISMATCH | The static password was incorrect | As part of local authentication, verification of the static password failed. |
| 1012 | STAT_OTP_INCORRECT | The one-time password was incorrect | The verification of an OTP failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. More specific details may be found in the VACMAN Controller error code and message. |
| 1013 | STAT_CHALLENGE_INVALID | The challenge was invalid | A response to a challenge was given, but the challenge was not the latest one issued for that authenticator. This is controlled by the Check Challenge Policy setting. |
| 1014 | STAT_GRACE_PERIOD_EXPIRED | The authenticator grace period has expired |
A user attempted to log in with the static password, but the grace period had already expired. The authenticator must be used to log in. If they do not have their authenticator yet, the administrator will have to allow them more time by modifying the Grace Period End date in their authenticator record. |
| 1015 | STAT_BVDP_NOT_ALLOWED | Backup Virtual Mobile Authenticator is not allowed |
A user attempted to request a backup Virtual Mobile Authenticator OTP, but they were not permitted. This would normally occur when either:
In both cases, administrator intervention is required to permit the user to continue to use backup Virtual Mobile Authenticator. The Enabled Until or Uses Remaining limits need to be increased to permit this. Note that the effective setting is the effective setting of the policy, unless the authenticator record overrides the policy. |
| 1016 | STAT_DIGIPASS_NOT_AVAILABLE | The authenticator is not available |
A user attempted Self-Assignment, but the authenticator they requested either could not be found within the search scope or was already assigned to someone else. This may occur because of a mistyped Serial Number. Otherwise, the search scope may be incorrect, or the authenticator may not be in the correct location to be made available to the user. For more information, refer to the OneSpan Authentication Server Product Guide, Section "DIGIPASS Records Location". |
| 1017 | STAT_INVALID_MDC_SETTINGS / STAT_INVALID_VDP_SETTINGS | The user account has no mobile number for Virtual Mobile Authenticator | A user requested a primary or backup Virtual Mobile Authenticator OTP, but it could not be delivered because the user account had no mobile phone number. In Active Directory this is the first mobile number in the record. |
| 1018 | STAT_VDP_PASSWORD_MISSING | No password was supplied for a Virtual Mobile Authenticator login | A user attempted a Virtual Mobile Authenticator login, but did not enter a password in the second stage of the login. |
| 1019 | STAT_CONFIRM_PASSWORD_MISMATCH | The new password confirmation failed | In a password change request, the new password was not confirmed correctly. |
| 1020 | STAT_LOCAL_AUTH_REJECT | Local authentication failed | General-purpose failure of Local Authentication when a more specific status code is not available. Additional information should provide more specific details. |
| 1021 | STAT_BACKEND_PWD_EXPIRED | Back-end authentication reported that the password has expired | Back-End Authentication (e.g. Windows) failed because the password was correct but it has expired. |
| 1022 | STAT_BACKEND_REJECT_STORED_PASS | Back-end authentication failed | Back-End Authentication (e.g. Windows) failed. A specific error code and message will accompany this record. |
| 1023 | STAT_BACKEND_REJECT_SUPPLIED_PASS | Back-end authentication failed with supplied password | |
| 1024 | STAT_PASSWORD_FAIL_STRENGTH_CHECK | The static password does not meet the password complexity rules. Verify your OneSpan Authentication Server policy settings. |
The following are violations of the password strength rules:
|
| 1025 | STAT_DIGIPASS_EXPIRED | The authenticator has expired. | |
| 1026 | STAT_PASSWORD_EXPIRED | The static password for local authentication in mode DIGIPASS or Password has expired. | The user attempted to login but the static password has expired. |
| 1030 | STAT_INVALID_POLICY | The policy was invalid |
An authentication request was rejected because the applicable policy had invalid settings or failed to load. This should not occur, but is possible due to the delay in Active Directory replication for example. The two main ways in which a policy can become invalid are: One or more choice list settings are Default in the policy, and its parent policy if it has one. A circular chain of Policies has been created, for example: Policy A inherits from Policy B; Policy B inherits from Policy C; Policy C inherits from Policy A. The policy must be fixed for authentication to be permitted using that policy. |
| 1031 | STAT_SELF_ASSIGN_DISABLED | The policy does not allow a self-assignment attempt | A user attempted Self-Assignment, but it is not permitted under the policy. |
| 1032 | STAT_HASH_PWDS_DISALLOWED | Hashed passwords cannot be verified by Windows |
An authentication request could not be processed successfully because Back-End Authentication using Windows was required, but the user's password was hashed. It is not possible to verify hashed passwords with Windows. This can occur when a CHAP-based protocol is used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols that utilize a one-way hash of the password entered by the user. Note that the effective back-end authentication setting is the effective setting of the policy, unless the user account overrides the policy. |
| 1033 | STAT_DIGIPASS_MUST_BE_USED | An authenticator must be used |
The effective Local Authentication setting is Digipass Only and the user tried to log in with a static password. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy. |
| 1034 | STAT_NO_CHALLRESP_FOR_CHAP | Challenge/Response is not supported by CHAP-based protocols | Challenge/Response is only supported in RADIUS using the PAP protocol. An attempt was made to generate a challenge using a CHAP-based protocol – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols. |
| 1035 | STAT_NO_CHALLRESP_FOR_W2K / STAT_NO_CHALLRESP_FOR_W_2_K | Challenge/Response is not supported by Windows 2000 | This status code can only occur in the authenticator plug-in for Microsoft Internet Authentication Service. For Windows 2000 a product limitation inhibits the support of the Challenge/Response mode. This will occur if the user has attempted to request a challenge. |
| 1036 | STAT_1STEP_CR_DISABLED / STAT_1_STEP_CR_DISABLED | 1-Step Challenge/Response is disabled | A request was made to generate a random challenge for 1-step Challenge/Response, but the applicable policy does not have 1-step Challenge/Response enabled or does not specify the challenge length and check digit indicator. |
| 1037 | STAT_AUTOLEARN_DISABLED | Password Autolearn is disabled | A request was made to update a user's stored password, but password autolearn is disabled, so the update is not permitted. Password autolearn must be enabled for the password update request to be processed. |
| 1038 | STAT_SOURCE_LOCATION_MISMATCH | The administration session ID is not known at this location | An administration command has been received, but the internal session ID is not recognized at the location from which the command came. This can only occur by attempting to reuse a session ID from another location. |
| 1039 | STAT_ADMIN_SESSION_STOPPED | The administration session is no longer active | An administration command has been received, but the session has stopped or is unrecognized. This can occur due to an idle timeout, a maximum session length timeout or a restart of OneSpan Authentication Server. |
| 1040 | STAT_NO_CHALLRESP_FOR_PWDPROXY | Back-end authentication returned a Challenge that cannot be handled |
This can occur when OneSpan Authentication Server forwards a request to a RADIUS Server and the RADIUS Server responds with an Access-Challenge. An Access-Challenge can only be handled when OneSpan Authentication Server forwards the password unmodified to the RADIUS Server. If OneSpan Authentication Server verifies an OTP and forwards the static password to the RADIUS Server, it is not possible to handle an Access-Challenge from the RADIUS Server. It can also occur if you use RADIUS Back-End Authentication for a Microsoft IIS Module. In that case, Access-Challenge is not supported from the RADIUS Server. |
| 1041 | STAT_DIGIPASS_NOT_FOUND | No authenticator was found for the given Serial Number | During a Self-Assignment attempt, the serial number provided by the user was not found in the data store. This mainly occurs when the serial number is entered incorrectly. It can also occur because the authenticator record is not in the user's domain or organizational unit. |
| 1042 | STAT_NO_BACKEND_FOR_SELF_ASSIGN | Self-Assignment was attempted but Back-End Authentication did not occur to authenticate the static password | Self-Assignment is not allowed without Back-End Authentication. This is required to validate the static password. |
| 1050 | STAT_REACTIV_NOT_ALLOWED | Reactivation is not allowed |
A reactivation attempt was refused for one of the following reasons:
|
| 1051 | STAT_TOO_MANY_DIGIPASS | Multiple authenticators found where a single authenticator was required | An activation attempt was made where the user had two or more authenticators that could be used. The activation request did not specify, which authenticator should be used to handle the request. |
| 1052 | STAT_NO_PROV_PASSWORD_DEFINED | The user account has no static password to encrypt the activation code | If no Local Authentication or Back-End Authentication is done during an activation request, a static password is required from the user account. The password is used to encrypt the activation code. |
| 1053 | STAT_NO_DP_FOR_ASSIGN | No authenticator was available for assignment | No available authenticator was found for the Provisioning Register request. The authenticator must be capable of activation and meet the authenticator restrictions in the policy settings if any. |
| 1054 | STAT_GEN_ACTIVATION_CODE | Error generating activation code | Generation of an activation code for provisioning failed. |
| 1055 | STAT_READING_SVF | Error reading SVF data | |
|
1060 |
STAT_SIGNATURE_INCORRECT | The Signature failed validation | The verification of a signature failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. |
| 1061 | STAT_SIGNATURE_REPLAY | The Signature has already been used |
This status code occurs specifically when a signature is rejected because it has already been used. It may also occur when the signature has not been used but is older than the most recently used signature. This behavior depends on the effective Online Signature Level Policy setting. |
| 1062 | STAT_DP_NOT_HOSTCONF_CAPABLE | A Host/Confirmation Code is required but the authenticator Application is not able to generate it |
For an authentication request, a host code was required to be returned. The authenticator application for which the OTP was validated was not capable of generating a host code. For a signature validation request, a confirmation code was required to be returned. The authenticator application for which the signature was validated was not capable of generating a confirmation code. The .dpx file that was used to import the authenticator application controls whether the host or confirmation code can be generated. |
| 1070 | STAT_CHANGE_ENCRYPTED_PASSWORD | Error while process changed encrypted static password | |
| 1090 | STAT_MISSING_BACKEND_PROTOCOL | INPUT missing: Back-End Protocol ID | The back-end server group is missing a back-end protocol ID. |
| 1100 | STAT_ERROR_GENERATE_REGISTRATION_ID | The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the registration identifier. | |
| 1101 | STAT_ERROR_GENERATE_ACTIVATION_PASSWORD | The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the activation password. | |
| 1102 | STAT_REGISTERID_NOT_IN_CACHE | The matching registration identifier could not be found in the provisioning system cache. | |
| 1103 | STAT_FAIL_ENCRYPT_ACTIVATION_CODE | The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to encrypt the activation data. | |
| 1104 | STAT_FAIL_VERIFY_SERVER_NONCE | The encrypted server nonce received from the client could not be validated. | |
| 1105 | STAT_FAIL_BIND_DEVICE |
|
This status code is returned in those cases:
|
| 1107 | STAT_FAIL_BIND_DEVICE_NOT_SUPPORTED | The authenticator does not support device binding. | |
| 1108 | STAT_NO_APPLICABLE_DP_FOUND | No authenticator with the required properties could be found. | |
| 1120 | STAT_NOTIFICATION_DELIVERY_FAILED | A notification for delayed activation could not be sent, because no destination attribute is specified in the user account. |
In addition, an audit message W-009002 is recorded. |
| 1121 | STAT_USER_SYNC_FAILED | User information attribute synchronization failed. |
In addition, an audit message W-016004 is recorded. |
| 1122 | STAT_BACKEND_PASSWORD_FAIL_STRENGTH_CHECK | The password does not comply with the strength rules of the back end. |
The following are violations of the password strength rules:
|
| 1123 | STAT_DATA_RECORD_VERSION_UNSUPPORTED | Data migration is enabled, but the migration subsystem is unable to handle the data record. This usually happens if the record data version is unsupported. | In addition, an audit message E-013004 is recorded. |
| 1124 | STAT_DATA_RECORD_MIGRATION_FAILED | Data migration is enabled, but the migration subsystem cannot migrate the data record. This usually happens if the data migration failed due to an error. | In addition, an audit message E-013003 is recorded. |
| 1126 | STAT_CANCEL | The server is shutting down and has sent the request to cancel the operation. | |
| 1127 | STAT_USER_CANCEL | The operation was canceled by the user. | When the user cancels the authentication on the client-side, the relevant authentication command is failed, and this status code is returned. |
| 1128 | STAT_NEEDS_APPROVAL | The operation is pending and awaiting approval by an entitled administrator (maker–checker authorization). | If the respective command has been executed the first time, in addition, an audit message I-030010 is recorded. |
| 1129 | STAT_WRONG_ADMIN | An administrator other than the one who scheduled a pending operation request attempted to finally execute the approved pending operation. Only the administrator who initially created the pending operation can complete it. | In addition, an audit message I-001003 is recorded. |
| 1132 | STAT_SUCCESSOR_NOT_FOUND | No successor user was found. | The specified successor user was not found. This usually happens when a user account is deleted, and existing items should be assigned to a non-existent successor user. |
| 3001 | STAT_DP_CHALLENGE | An authenticator challenge was returned | This status code is the standard code used when a challenge is issued and does not indicate any kind of error. |
| 3002 | STAT_NO_CHALLENGE | No challenge was identified for the authentication | A response to a challenge was given, but no challenge could be found. The most likely reason for this to occur is that the challenge is too old and has been removed from the challenge cache. It can also occur if no challenge key was supplied to identify the challenge. |
| 3003 | STAT_BACKEND_CHALLENGE | Back-end authentication returned a Challenge | This occurs when a RADIUS server responds with an Access-Challenge, in environments where OneSpan Authentication Server can handle this kind of response. |
| 5001 | STAT_NOT_IN_GROUPS | The user failed the Windows Group Check |
OneSpan Authentication Server did not handle an authentication request because the Windows group check failed. This can occur when the effective Windows group check option is Pass requests for users not in listed groups back to host system. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy. |
| 5002 | STAT_NO_LOCAL_OR_BACKEND_AUTH | Neither local nor back-end authentication done due to policy and/or user settings |
OneSpan Authentication Server decided not to handle an authentication request because the effective Local Authentication and Back-End Authentication settings were both None. Note that the effective settings are the effective settings of the policy, unless the user account overrides the policy. |
| 5003 | STAT_DP_EXIST_AS_DIFF_TYPE | The authenticator exists as different authenticator type |
The authenticator used exists as a different authenticator type in the system. |