Status codes

Status codes provide additional information if an operation failed, and help to identify common reasons for authentication failures.

Table: Status codes
Status code Status message Description Notes
0   No error  
<all negative codes>   <Error Code> The status codes from –1 downwards match to a corresponding error code.
1000 STAT_INVCREDENTIALS The credentials were invalid

General-purpose error due to invalid user name or password, when a more specific status is unavailable.

If the Use Generic Authentication Status Codes policy setting is active, this status is always returned, even if more specific status information is available.

The following status codes will be mapped:

  • 1007
  • 1009
  • 1010
  • 1011
  • 1012
  • 1023
  • 1025
  • 1033

The real status code and message will still be visible in the audit and trace messages.

1002 STAT_GROUPCHK The user failed the Windows Group Check

The OneSpan Authentication Server rejected an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, reject others.

Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.

1004 STAT_EXP_CHALLENGE The challenge has expired A response to challenge has been given, but the expiration time for the challenge has expired. The default expiration time is one minute, however this can be configured in the configuration file VASCO/Challenge-Cache/Max-Age setting (in seconds).
1005 STAT_PERMISSION The user does not have permission to perform the specified action General-purpose failure of an administration command when the administrator does not have sufficient privileges to carry out the command.
1006 STAT_LOCALAUTH The authenticator authentication library is not responsible for this authentication
1007 STAT_LOCKED The user account is locked

The user account is locked. This is normally due to consecutive login failures, as determined by the policy setting User Lock Threshold. Alternatively, the administrator can actively lock the account.

To unlock the user account, an administrator has to uncheck the Locked check box on the user record.

1008 STAT_REPLAY The one-time password has already been used

This status code occurs specifically when an OTP is rejected because it has already been used. It may also occur when the OTP has not been used but is older than the most recently used OTP.

This can sometimes happen when an authentication request is re-sent automatically.

1009 STAT_DISABLED The user account is disabled The user account is disabled. This may be because the administrator has actively disabled the account, or because the corresponding Windows user account has become disabled or expired.
1010 STAT_USER_UNKNOWN No user account was found An authentication request was rejected because no user account was found and the policy requires local authentication.
1011 STAT_LOCAL_PASSWORD_MISMATCH The static password was incorrect As part of local authentication, verification of the static password failed.
1012 STAT_OTP_INCORRECT The one-time password was incorrect The verification of an OTP failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. More specific details may be found in the VACMAN Controller error code and message.
1013 STAT_CHALLENGE_INVALID The challenge was invalid A response to a challenge was given, but the challenge was not the latest one issued for that authenticator. This is controlled by the Check Challenge Policy setting.
1014 STAT_GRACE_PERIOD_EXPIRED The authenticator grace period has expired

A user attempted to log in with the static password, but the grace period had already expired. The authenticator must be used to log in.

If they do not have their authenticator yet, the administrator will have to allow them more time by modifying the Grace Period End date in their authenticator record.

1015 STAT_BVDP_NOT_ALLOWED Backup Virtual Mobile Authenticator is not allowed

A user attempted to request a backup Virtual Mobile Authenticator OTP, but they were not permitted. This would normally occur when either:

  • The effective backup Virtual Mobile Authenticator enabled setting is Yes – Time Limited, and the backup Virtual Mobile Authenticator Enabled Until date is the current date or before.
  • The backup Virtual Mobile Authenticator Uses Remaining counter has reached 0.

In both cases, administrator intervention is required to permit the user to continue to use backup Virtual Mobile Authenticator. The Enabled Until or Uses Remaining limits need to be increased to permit this.

Note that the effective setting is the effective setting of the policy, unless the authenticator record overrides the policy.

1016 STAT_DIGIPASS_NOT_AVAILABLE The authenticator is not available

A user attempted Self-Assignment, but the authenticator they requested either could not be found within the search scope or was already assigned to someone else.

This may occur because of a mistyped Serial Number. Otherwise, the search scope may be incorrect, or the authenticator may not be in the correct location to be made available to the user. For more information, refer to the OneSpan Authentication Server Product Guide, Section "DIGIPASS Records Location".

1017 STAT_INVALID_MDC_SETTINGS / STAT_INVALID_VDP_SETTINGS The user account has no mobile number for Virtual Mobile Authenticator A user requested a primary or backup Virtual Mobile Authenticator OTP, but it could not be delivered because the user account had no mobile phone number. In Active Directory this is the first mobile number in the record.
1018 STAT_VDP_PASSWORD_MISSING No password was supplied for a Virtual Mobile Authenticator login A user attempted a Virtual Mobile Authenticator login, but did not enter a password in the second stage of the login. For more information, see 2-step Virtual Mobile Authenticator logon.
1019 STAT_CONFIRM_PASSWORD_MISMATCH The new password confirmation failed In a password change request, the new password was not confirmed correctly.
1020 STAT_LOCAL_AUTH_REJECT Local authentication failed General-purpose failure of Local Authentication when a more specific status code is not available. Additional information should provide more specific details.
1021 STAT_BACKEND_PWD_EXPIRED Back-end authentication reported that the password has expired Back-End Authentication (e.g. Windows) failed because the password was correct but it has expired.
1022 STAT_BACKEND_REJECT_STORED_PASS Back-end authentication failed Back-End Authentication (e.g. Windows) failed. A specific error code and message will accompany this record.
1023 STAT_BACKEND_REJECT_SUPPLIED_PASS Back-end authentication failed with supplied password
1024 STAT_PASSWORD_FAIL_STRENGTH_CHECK The static password does not meet the password complexity rules. Verify your OneSpan Authentication Server policy settings.

The following are violations of the password strength rules:

  • Password length is incorrect.
  • Password does not contain a sufficient number of unique characters.
  • The same password has already been used (too) recently.
  • The password does not comply with any other of the password policy requirements.
1025 STAT_DIGIPASS_EXPIRED The authenticator has expired.
1026 STAT_PASSWORD_EXPIRED The static password for local authentication in mode DIGIPASS or Password has expired. The user attempted to login but the static password has expired.
1030 STAT_INVALID_POLICY The policy was invalid

An authentication request was rejected because the applicable policy had invalid settings or failed to load. This should not occur, but is possible due to the delay in Active Directory replication for example. The two main ways in which a policy can become invalid are:

One or more choice list settings are Default in the policy, and its parent policy if it has one.

A circular chain of Policies has been created, for example: Policy A inherits from Policy B; Policy B inherits from Policy C; Policy C inherits from Policy A.

The policy must be fixed for authentication to be permitted using that policy.

1031 STAT_SELF_ASSIGN_DISABLED The policy does not allow a self-assignment attempt A user attempted Self-Assignment, but it is not permitted under the policy.
1032 STAT_HASH_PWDS_DISALLOWED Hashed passwords cannot be verified by Windows

An authentication request could not be processed successfully because Back-End Authentication using Windows was required, but the user's password was hashed. It is not possible to verify hashed passwords with Windows. This can occur when a CHAP-based protocol is used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols that utilize a one-way hash of the password entered by the user.

Note that the effective back-end authentication setting is the effective setting of the policy, unless the user account overrides the policy.

1033 STAT_DIGIPASS_MUST_BE_USED An authenticator must be used

The effective Local Authentication setting is Digipass Only and the user tried to log in with a static password.

Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.

1034 STAT_NO_CHALLRESP_FOR_CHAP Challenge/Response is not supported by CHAP-based protocols Challenge/Response is only supported in RADIUS using the PAP protocol. An attempt was made to generate a challenge using a CHAP-based protocol – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols.
1035 STAT_NO_CHALLRESP_FOR_W2K / STAT_NO_CHALLRESP_FOR_W_2_K Challenge/Response is not supported by Windows 2000 This status code can only occur in the authenticator plug-in for Microsoft Internet Authentication Service. For Windows 2000 a product limitation inhibits the support of the Challenge/Response mode. This will occur if the user has attempted to request a challenge.
1036 STAT_1STEP_CR_DISABLED / STAT_1_STEP_CR_DISABLED 1-Step Challenge/Response is disabled A request was made to generate a random challenge for 1-step Challenge/Response, but the applicable policy does not have 1-step Challenge/Response enabled or does not specify the challenge length and check digit indicator.
1037 STAT_AUTOLEARN_DISABLED Password Autolearn is disabled A request was made to update a user's stored password, but password autolearn is disabled, so the update is not permitted. Password autolearn must be enabled for the password update request to be processed.
1038 STAT_SOURCE_LOCATION_MISMATCH The administration session ID is not known at this location An administration command has been received, but the internal session ID is not recognized at the location from which the command came. This can only occur by attempting to reuse a session ID from another location.
1039 STAT_ADMIN_SESSION_STOPPED The administration session is no longer active An administration command has been received, but the session has stopped or is unrecognized. This can occur due to an idle timeout, a maximum session length timeout or a restart of OneSpan Authentication Server.
1040 STAT_NO_CHALLRESP_FOR_PWDPROXY Back-end authentication returned a Challenge that cannot be handled

This can occur when OneSpan Authentication Server forwards a request to a RADIUS Server and the RADIUS Server responds with an Access-Challenge. An Access-Challenge can only be handled when OneSpan Authentication Server forwards the password unmodified to the RADIUS Server. If OneSpan Authentication Server verifies an OTP and forwards the static password to the RADIUS Server, it is not possible to handle an Access-Challenge from the RADIUS Server.

It can also occur if you use RADIUS Back-End Authentication for a Microsoft IIS Module. In that case, Access-Challenge is not supported from the RADIUS Server.

1041 STAT_DIGIPASS_NOT_FOUND No authenticator was found for the given Serial Number During a Self-Assignment attempt, the serial number provided by the user was not found in the data store. This mainly occurs when the serial number is entered incorrectly. It can also occur because the authenticator record is not in the user's domain or organizational unit.
1042 STAT_NO_BACKEND_FOR_SELF_ASSIGN Self-Assignment was attempted but Back-End Authentication did not occur to authenticate the static password Self-Assignment is not allowed without Back-End Authentication. This is required to validate the static password.
1050 STAT_REACTIV_NOT_ALLOWED Reactivation is not allowed

A reactivation attempt was refused for one of the following reasons:

  • The authenticator has already been activated from the maximum number of allowed locations. This limit is controlled by the configuration setting Max Locations of the provisioning scenario.
  • The maximum number of allowed activation attempts has already been reached. This limit is controlled by the Provisioning Scenario configuration setting Max Attempts.
  • The minimum time interval required between activation attempts has not yet been reached since the last activation attempt. This limit is controlled by the configuration setting Min Interval of the provisioning scenario.
1051 STAT_TOO_MANY_DIGIPASS Multiple authenticators found where a single authenticator was required An activation attempt was made where the user had two or more authenticators that could be used. The activation request did not specify, which authenticator should be used to handle the request.
1052 STAT_NO_PROV_PASSWORD_DEFINED The user account has no static password to encrypt the activation code If no Local Authentication or Back-End Authentication is done during an activation request, a static password is required from the user account. The password is used to encrypt the activation code.
1053 STAT_NO_DP_FOR_ASSIGN No authenticator was available for assignment No available authenticator was found for the Provisioning Register request. The authenticator must be capable of activation and meet the authenticator restrictions in the policy settings if any.
1054 STAT_GEN_ACTIVATION_CODE Error generating activation code Generation of an activation code for provisioning failed. More specific details may be found in the OneSpan Authentication Server Framework error codes.
1055 STAT_READING_SVF Error reading SVF data  

1060

STAT_SIGNATURE_INCORRECT The Signature failed validation The verification of a signature failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. More specific details may be found in the OneSpan Authentication Server Framework error codes.
1061 STAT_SIGNATURE_REPLAY The Signature has already been used

This status code occurs specifically when a signature is rejected because it has already been used. It may also occur when the signature has not been used but is older than the most recently used signature.

This behavior depends on the effective Online Signature Level Policy setting.

1062 STAT_DP_NOT_HOSTCONF_CAPABLE A Host/Confirmation Code is required but the authenticator Application is not able to generate it

For an authentication request, a host code was required to be returned. The authenticator application for which the OTP was validated was not capable of generating a host code.

For a signature validation request, a confirmation code was required to be returned. The authenticator application for which the signature was validated was not capable of generating a confirmation code.

The .dpx file that was used to import the authenticator application controls whether the host or confirmation code can be generated.

1070 STAT_CHANGE_ENCRYPTED_PASSWORD Error while process changed encrypted static password  
1090 STAT_MISSING_BACKEND_PROTOCOL INPUT missing: Back-End Protocol ID The back-end server group is missing a back-end protocol ID.
1100 STAT_ERROR_GENERATE_REGISTRATION_ID The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the registration identifier.
1101 STAT_ERROR_GENERATE_ACTIVATION_PASSWORD The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the activation password.
1102 STAT_REGISTERID_NOT_IN_CACHE The matching registration identifier could not be found in the provisioning system cache.
1103 STAT_FAIL_ENCRYPT_ACTIVATION_CODE The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to encrypt the activation data.
1104 STAT_FAIL_VERIFY_SERVER_NONCE The encrypted server nonce received from the client could not be validated.
1105 STAT_FAIL_BIND_DEVICE

 

This status code is returned in those cases:

  • The authenticator is already bound to a device.
  • The device cannot be bound.
  • The activation data cannot be generated.
1107 STAT_FAIL_BIND_DEVICE_NOT_SUPPORTED The authenticator does not support device binding.
1108 STAT_NO_APPLICABLE_DP_FOUND No authenticator with the required properties could be found.  
1120 STAT_NOTIFICATION_DELIVERY_FAILED A notification for delayed activation could not be sent, because no destination attribute is specified in the user account.

In addition, an audit message W-009002 is recorded.

1121 STAT_USER_SYNC_FAILED User information attribute synchronization failed.

In addition, an audit message W-016004 is recorded.

1122 STAT_BACKEND_PASSWORD_FAIL_STRENGTH_CHECK The password does not comply with the strength rules of the back end.

The following are violations of the password strength rules:

  • Password length is incorrect.
  • Password does not contain a sufficient number of unique characters.
  • The same password has already been used (too) recently.
  • The password does not comply with any other of the password policy requirements.
1123 STAT_DATA_RECORD_VERSION_UNSUPPORTED Data migration is enabled, but the migration subsystem is unable to handle the data record. This usually happens if the record data version is unsupported. In addition, an audit message E-013004 is recorded.
1124 STAT_DATA_RECORD_MIGRATION_FAILED Data migration is enabled, but the migration subsystem cannot migrate the data record. This usually happens if the data migration failed due to an error. In addition, an audit message E-013003 is recorded.
1126 STAT_CANCEL The server is shutting down and has sent the request to cancel the operation.  
1127 STAT_USER_CANCEL The operation was canceled by the user. When the user cancels the authentication on the client-side, the relevant authentication command is failed, and this status code is returned.
1128 STAT_NEEDS_APPROVAL The operation is pending and awaiting approval by an entitled administrator (maker–checker authorization). If the respective command has been executed the first time, in addition, an audit message I-030010 is recorded.
1129 STAT_WRONG_ADMIN An administrator other than the one who scheduled a pending operation request attempted to finally execute the approved pending operation. Only the administrator who initially created the pending operation can complete it. In addition, an audit message I-001003 is recorded.
1132 STAT_SUCCESSOR_NOT_FOUND No successor user was found. The specified successor user was not found. This usually happens when a user account is deleted, and existing items should be assigned to a non-existent successor user.
3001 STAT_DP_CHALLENGE An authenticator challenge was returned This status code is the standard code used when a challenge is issued and does not indicate any kind of error.
3002 STAT_NO_CHALLENGE No challenge was identified for the authentication A response to a challenge was given, but no challenge could be found. The most likely reason for this to occur is that the challenge is too old and has been removed from the challenge cache. It can also occur if no challenge key was supplied to identify the challenge.
3003 STAT_BACKEND_CHALLENGE Back-end authentication returned a Challenge This occurs when a RADIUS server responds with an Access-Challenge, in environments where OneSpan Authentication Server can handle this kind of response.
5001 STAT_NOT_IN_GROUPS The user failed the Windows Group Check

OneSpan Authentication Server did not handle an authentication request because the Windows group check failed. This can occur when the effective Windows group check option is Pass requests for users not in listed groups back to host system.

Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.

5002 STAT_NO_LOCAL_OR_BACKEND_AUTH Neither local nor back-end authentication done due to policy and/or user settings

OneSpan Authentication Server decided not to handle an authentication request because the effective Local Authentication and Back-End Authentication settings were both None.

Note that the effective settings are the effective settings of the policy, unless the user account overrides the policy.

5003 STAT_DP_EXIST_AS_DIFF_TYPE The authenticator exists as different authenticator type

The authenticator used exists as a different authenticator type in the system.