Status codes

Mis à jour le 08 Jan 2025
13 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

Status codes provide additional information if an operation failed, and help to identify common reasons for authentication failures.

Table: Status codes
Status code	Status message	Description	Notes
0		No error
<all negative codes>		<Error Code>	The status codes from –1 downwards match to a corresponding error code.
1000	STAT_INVCREDENTIALS	The credentials were invalid	General-purpose error due to invalid user name or password, when a more specific status is unavailable. If the Use Generic Authentication Status Codes policy setting is active, this status is always returned, even if more specific status information is available. The following status codes will be mapped: 1007 1009 1010 1011 1012 1023 1025 1033 The real status code and message will still be visible in the audit and trace messages.
1002	STAT_GROUPCHK	The user failed the Windows Group Check	The OneSpan Authentication Server rejected an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, reject others. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.
1004	STAT_EXP_CHALLENGE	The challenge has expired	A response to challenge has been given, but the expiration time for the challenge has expired. The default expiration time is one minute, however this can be configured in the configuration file VASCO/Challenge-Cache/Max-Age setting (in seconds).
1005	STAT_PERMISSION	The user does not have permission to perform the specified action	General-purpose failure of an administration command when the administrator does not have sufficient privileges to carry out the command.
1006	STAT_LOCALAUTH	The authenticator authentication library is not responsible for this authentication
1007	STAT_LOCKED	The user account is locked	The user account is locked. This is normally due to consecutive login failures, as determined by the policy setting User Lock Threshold. Alternatively, the administrator can actively lock the account. To unlock the user account, an administrator has to uncheck the Locked check box on the user record.
1008	STAT_REPLAY	The one-time password has already been used	This status code occurs specifically when an OTP is rejected because it has already been used. It may also occur when the OTP has not been used but is older than the most recently used OTP. This can sometimes happen when an authentication request is re-sent automatically.
1009	STAT_DISABLED	The user account is disabled	The user account is disabled. This may be because the administrator has actively disabled the account, or because the corresponding Windows user account has become disabled or expired.
1010	STAT_USER_UNKNOWN	No user account was found	An authentication request was rejected because no user account was found and the policy requires local authentication.
1011	STAT_LOCAL_PASSWORD_MISMATCH	The static password was incorrect	As part of local authentication, verification of the static password failed.
1012	STAT_OTP_INCORRECT	The one-time password was incorrect	The verification of an OTP failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. More specific details may be found in the VACMAN Controller error code and message.
1013	STAT_CHALLENGE_INVALID	The challenge was invalid	A response to a challenge was given, but the challenge was not the latest one issued for that authenticator. This is controlled by the Check Challenge Policy setting.
1014	STAT_GRACE_PERIOD_EXPIRED	The authenticator grace period has expired	A user attempted to log in with the static password, but the grace period had already expired. The authenticator must be used to log in. If they do not have their authenticator yet, the administrator will have to allow them more time by modifying the Grace Period End date in their authenticator record.
1015	STAT_BVDP_NOT_ALLOWED	Backup Virtual Mobile Authenticator is not allowed	A user attempted to request a backup Virtual Mobile Authenticator OTP, but they were not permitted. This would normally occur when either: The effective backup Virtual Mobile Authenticator enabledsetting is Yes – Time Limited, and the backup Virtual Mobile Authenticator Enabled Until date is the current date or before. The backup Virtual Mobile Authenticator Uses Remaining counterhas reached 0. In both cases, administrator intervention is required to permit the user to continue to use backup Virtual Mobile Authenticator. The Enabled Until or Uses Remaining limits need to be increased to permit this. Note that the effective setting is the effective setting of the policy, unless the authenticator record overrides the policy.
1016	STAT_DIGIPASS_NOT_AVAILABLE	The authenticator is not available	A user attempted Self-Assignment, but the authenticator they requested either could not be found within the search scope or was already assigned to someone else. This may occur because of a mistyped Serial Number. Otherwise, the search scope may be incorrect, or the authenticator may not be in the correct location to be made available to the user. For more information, refer to the OneSpan Authentication Server Product Guide, Section "DIGIPASS Records Location".
1017	STAT_INVALID_MDC_SETTINGS / STAT_INVALID_VDP_SETTINGS	The user account has no mobile number for Virtual Mobile Authenticator	A user requested a primary or backup Virtual Mobile Authenticator OTP, but it could not be delivered because the user account had no mobile phone number. In Active Directory this is the first mobile number in the record.
1018	STAT_VDP_PASSWORD_MISSING	No password was supplied for a Virtual Mobile Authenticator login	A user attempted a Virtual Mobile Authenticator login, but did not enter a password in the second stage of the login. For more information, see 2-step Virtual Mobile Authenticator logon.
1019	STAT_CONFIRM_PASSWORD_MISMATCH	The new password confirmation failed	In a password change request, the new password was not confirmed correctly.
1020	STAT_LOCAL_AUTH_REJECT	Local authentication failed	General-purpose failure of Local Authentication when a more specific status code is not available. Additional information should provide more specific details.
1021	STAT_BACKEND_PWD_EXPIRED	Back-end authentication reported that the password has expired	Back-End Authentication (e.g. Windows) failed because the password was correct but it has expired.
1022	STAT_BACKEND_REJECT_STORED_PASS	Back-end authentication failed	Back-End Authentication (e.g. Windows) failed. A specific error code and message will accompany this record.
1023	STAT_BACKEND_REJECT_SUPPLIED_PASS	Back-end authentication failed with supplied password
1024	STAT_PASSWORD_FAIL_STRENGTH_CHECK	The static password does not meet the password complexity rules. Verify your OneSpan Authentication Server policy settings.	The following are violations of the password strength rules: Password length is incorrect. Password does not contain a sufficient number of unique characters. The same password has already been used (too) recently. The password does not comply with any other of the password policy requirements.
1025	STAT_DIGIPASS_EXPIRED	The authenticator has expired.
1026	STAT_PASSWORD_EXPIRED	The static password for local authentication in mode DIGIPASS or Password has expired.	The user attempted to login but the static password has expired.
1030	STAT_INVALID_POLICY	The policy was invalid	An authentication request was rejected because the applicable policy had invalid settings or failed to load. This should not occur, but is possible due to the delay in Active Directory replication for example. The two main ways in which a policy can become invalid are: One or more choice list settings are Default in the policy, and its parent policy if it has one. A circular chain of Policies has been created, for example: Policy A inherits from Policy B; Policy B inherits from Policy C; Policy C inherits from Policy A. The policy must be fixed for authentication to be permitted using that policy.
1031	STAT_SELF_ASSIGN_DISABLED	The policy does not allow a self-assignment attempt	A user attempted Self-Assignment, but it is not permitted under the policy.
1032	STAT_HASH_PWDS_DISALLOWED	Hashed passwords cannot be verified by Windows	An authentication request could not be processed successfully because Back-End Authentication using Windows was required, but the user's password was hashed. It is not possible to verify hashed passwords with Windows. This can occur when a CHAP-based protocol is used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols that utilize a one-way hash of the password entered by the user. Note that the effective back-end authentication setting is the effective setting of the policy, unless the user account overrides the policy.
1033	STAT_DIGIPASS_MUST_BE_USED	An authenticator must be used	The effective Local Authentication setting is Digipass Only and the user tried to log in with a static password. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.
1034	STAT_NO_CHALLRESP_FOR_CHAP	Challenge/Response is not supported by CHAP-based protocols	Challenge/Response is only supported in RADIUS using the PAP protocol. An attempt was made to generate a challenge using a CHAP-based protocol – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols.
1035	STAT_NO_CHALLRESP_FOR_W2K / STAT_NO_CHALLRESP_FOR_W_2_K	Challenge/Response is not supported by Windows 2000	This status code can only occur in the authenticator plug-in for Microsoft Internet Authentication Service. For Windows 2000 a product limitation inhibits the support of the Challenge/Response mode. This will occur if the user has attempted to request a challenge.
1036	STAT_1STEP_CR_DISABLED / STAT_1_STEP_CR_DISABLED	1-Step Challenge/Response is disabled	A request was made to generate a random challenge for 1-step Challenge/Response, but the applicable policy does not have 1-step Challenge/Response enabled or does not specify the challenge length and check digit indicator.
1037	STAT_AUTOLEARN_DISABLED	Password Autolearn is disabled	A request was made to update a user's stored password, but password autolearn is disabled, so the update is not permitted. Password autolearn must be enabled for the password update request to be processed.
1038	STAT_SOURCE_LOCATION_MISMATCH	The administration session ID is not known at this location	An administration command has been received, but the internal session ID is not recognized at the location from which the command came. This can only occur by attempting to reuse a session ID from another location.
1039	STAT_ADMIN_SESSION_STOPPED	The administration session is no longer active	An administration command has been received, but the session has stopped or is unrecognized. This can occur due to an idle timeout, a maximum session length timeout or a restart of OneSpan Authentication Server.
1040	STAT_NO_CHALLRESP_FOR_PWDPROXY	Back-end authentication returned a Challenge that cannot be handled	This can occur when OneSpan Authentication Server forwards a request to a RADIUS Server and the RADIUS Server responds with an Access-Challenge. An Access-Challenge can only be handled when OneSpan Authentication Server forwards the password unmodified to the RADIUS Server. If OneSpan Authentication Server verifies an OTP and forwards the static password to the RADIUS Server, it is not possible to handle an Access-Challenge from the RADIUS Server. It can also occur if you use RADIUS Back-End Authentication for a Microsoft IIS Module. In that case, Access-Challenge is not supported from the RADIUS Server.
1041	STAT_DIGIPASS_NOT_FOUND	No authenticator was found for the given Serial Number	During a Self-Assignment attempt, the serial number provided by the user was not found in the data store. This mainly occurs when the serial number is entered incorrectly. It can also occur because the authenticator record is not in the user's domain or organizational unit.
1042	STAT_NO_BACKEND_FOR_SELF_ASSIGN	Self-Assignment was attempted but Back-End Authentication did not occur to authenticate the static password	Self-Assignment is not allowed without Back-End Authentication. This is required to validate the static password.
1050	STAT_REACTIV_NOT_ALLOWED	Reactivation is not allowed	A reactivation attempt was refused for one of the following reasons: The authenticator has already been activated from the maximum number of allowed locations. This limit is controlled by the configuration setting Max Locations of the provisioning scenario. The maximum number of allowed activation attempts has already been reached. This limit is controlled by the Provisioning Scenario configuration setting Max Attempts. The minimum time interval required between activation attempts has not yet been reached since the last activation attempt. This limit is controlled by the configuration setting Min Interval of the provisioning scenario.
1051	STAT_TOO_MANY_DIGIPASS	Multiple authenticators found where a single authenticator was required	An activation attempt was made where the user had two or more authenticators that could be used. The activation request did not specify, which authenticator should be used to handle the request.
1052	STAT_NO_PROV_PASSWORD_DEFINED	The user account has no static password to encrypt the activation code	If no Local Authentication or Back-End Authentication is done during an activation request, a static password is required from the user account. The password is used to encrypt the activation code.
1053	STAT_NO_DP_FOR_ASSIGN	No authenticator was available for assignment	No available authenticator was found for the Provisioning Register request. The authenticator must be capable of activation and meet the authenticator restrictions in the policy settings if any.
1054	STAT_GEN_ACTIVATION_CODE	Error generating activation code	Generation of an activation code for provisioning failed. More specific details may be found in the OneSpan Authentication Server Framework error codes.
1055	STAT_READING_SVF	Error reading SVF data
1060	STAT_SIGNATURE_INCORRECT	The Signature failed validation	The verification of a signature failed. Note that this can also happen if a score-based authenticator application returns success (valid OTP) with a score warning. More specific details may be found in the OneSpan Authentication Server Framework error codes.
1061	STAT_SIGNATURE_REPLAY	The Signature has already been used	This status code occurs specifically when a signature is rejected because it has already been used. It may also occur when the signature has not been used but is older than the most recently used signature. This behavior depends on the effective Online Signature Level Policy setting.
1062	STAT_DP_NOT_HOSTCONF_CAPABLE	A Host/Confirmation Code is required but the authenticator Application is not able to generate it	For an authentication request, a host code was required to be returned. The authenticator application for which the OTP was validated was not capable of generating a host code. For a signature validation request, a confirmation code was required to be returned. The authenticator application for which the signature was validated was not capable of generating a confirmation code. The .dpx file that was used to import the authenticator application controls whether the host or confirmation code can be generated.
1070	STAT_CHANGE_ENCRYPTED_PASSWORD	Error while process changed encrypted static password
1090	STAT_MISSING_BACKEND_PROTOCOL	INPUT missing: Back-End Protocol ID	The back-end server group is missing a back-end protocol ID.
1100	STAT_ERROR_GENERATE_REGISTRATION_ID	The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the registration identifier.
1101	STAT_ERROR_GENERATE_ACTIVATION_PASSWORD	The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to generate the activation password.
1102	STAT_REGISTERID_NOT_IN_CACHE	The matching registration identifier could not be found in the provisioning system cache.
1103	STAT_FAIL_ENCRYPT_ACTIVATION_CODE	The Digipass Software Advanced Provisioning Protocol (DSAPP) server failed to encrypt the activation data.
1104	STAT_FAIL_VERIFY_SERVER_NONCE	The encrypted server nonce received from the client could not be validated.
1105	STAT_FAIL_BIND_DEVICE		This status code is returned in those cases: The authenticator is already bound to a device. The device cannot be bound. The activation data cannot be generated.
1107	STAT_FAIL_BIND_DEVICE_NOT_SUPPORTED	The authenticator does not support device binding.
1108	STAT_NO_APPLICABLE_DP_FOUND	No authenticator with the required properties could be found.
1120	STAT_NOTIFICATION_DELIVERY_FAILED	A notification for delayed activation could not be sent, because no destination attribute is specified in the user account.	In addition, an audit message W-009002 is recorded.
1121	STAT_USER_SYNC_FAILED	User information attribute synchronization failed.	In addition, an audit message W-016004 is recorded.
1122	STAT_BACKEND_PASSWORD_FAIL_STRENGTH_CHECK	The password does not comply with the strength rules of the back end.	The following are violations of the password strength rules: Password length is incorrect. Password does not contain a sufficient number of unique characters. The same password has already been used (too) recently. The password does not comply with any other of the password policy requirements.
1123	STAT_DATA_RECORD_VERSION_UNSUPPORTED	Data migration is enabled, but the migration subsystem is unable to handle the data record. This usually happens if the record data version is unsupported.	In addition, an audit message E-013004 is recorded.
1124	STAT_DATA_RECORD_MIGRATION_FAILED	Data migration is enabled, but the migration subsystem cannot migrate the data record. This usually happens if the data migration failed due to an error.	In addition, an audit message E-013003 is recorded.
1126	STAT_CANCEL	The server is shutting down and has sent the request to cancel the operation.
1127	STAT_USER_CANCEL	The operation was canceled by the user.	When the user cancels the authentication on the client-side, the relevant authentication command is failed, and this status code is returned.
1128	STAT_NEEDS_APPROVAL	The operation is pending and awaiting approval by an entitled administrator (maker–checker authorization).	If the respective command has been executed the first time, in addition, an audit message I-030010 is recorded.
1129	STAT_WRONG_ADMIN	An administrator other than the one who scheduled a pending operation request attempted to finally execute the approved pending operation. Only the administrator who initially created the pending operation can complete it.	In addition, an audit message I-001003 is recorded.
1132	STAT_SUCCESSOR_NOT_FOUND	No successor user was found.	The specified successor user was not found. This usually happens when a user account is deleted, and existing items should be assigned to a non-existent successor user.
3001	STAT_DP_CHALLENGE	An authenticator challenge was returned	This status code is the standard code used when a challenge is issued and does not indicate any kind of error.
3002	STAT_NO_CHALLENGE	No challenge was identified for the authentication	A response to a challenge was given, but no challenge could be found. The most likely reason for this to occur is that the challenge is too old and has been removed from the challenge cache. It can also occur if no challenge key was supplied to identify the challenge.
3003	STAT_BACKEND_CHALLENGE	Back-end authentication returned a Challenge	This occurs when a RADIUS server responds with an Access-Challenge, in environments where OneSpan Authentication Server can handle this kind of response.
5001	STAT_NOT_IN_GROUPS	The user failed the Windows Group Check	OneSpan Authentication Server did not handle an authentication request because the Windows group check failed. This can occur when the effective Windows group check option is Pass requests for users not in listed groups back to host system. Note that the effective setting is the effective setting of the policy, unless the user account overrides the policy.
5002	STAT_NO_LOCAL_OR_BACKEND_AUTH	Neither local nor back-end authentication done due to policy and/or user settings	OneSpan Authentication Server decided not to handle an authentication request because the effective Local Authentication and Back-End Authentication settings were both None. Note that the effective settings are the effective settings of the policy, unless the user account overrides the policy.
5003	STAT_DP_EXIST_AS_DIFF_TYPE	The authenticator exists as different authenticator type	The authenticator used exists as a different authenticator type in the system.

Cet article vous a-t-il été utile ?

What's Next

OneSpan Web Configuration Tool (admintool)