Trying to get CAS version 4.2.1 to recognise and respond correctly to messages from an AD server (LPPE)such as the password must change or the account is locked.
From the CAS log file it is reporting the error 773 for changing a password but it interprets it as an invalid authentication and presents the user with an Invalid Credentials message.
=========================
deployerConfigContext.xml
=========================
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default authentication handler with
| one implementing your approach for authenticating usernames and passwords.
+-->
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
<util:list id="authenticationMetadataPopulators">
<ref bean="successfulHandlerMetaDataPopulator" />
<ref bean="rememberMeAuthenticationMetaDataPopulator" />
</util:list>
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="sAMAccountName"
c:authenticator-ref="authenticator"
p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration">
</bean>
<ldaptive:ad-authenticator id="authenticator"
ldapUrl="${ldap.url}"
userFilter="${ldap.authn.searchFilter}"
bindDn="${ldap.managerDn}"
bindCredential="${ldap.managerPassword}"
allowMultipleDns="${ldap.allowMultipleDns:false}"
connectTimeout="${ldap.connectTimeout}"
validateOnCheckOut="${ldap.pool.validateOnCheckout}"
failFastInitialize="true"
blockWaitTime="${ldap.pool.blockWaitTime}"
idleTime="${ldap.pool.idleTime}"
baseDn="${ldap.baseDn}"
maxPoolSize="${ldap.pool.maxSize}"
minPoolSize="${ldap.pool.minSize}"
validatePeriodically="${ldap.pool.validatePeriodically}"
validatePeriod="${ldap.pool.validatePeriod}"
prunePeriod="${ldap.pool.prunePeriod}"
useSSL="${ldap.use.ssl:false}"
subtreeSearch="${ldap.subtree.search:true}"
useStartTLS="${ldap.useStartTLS}" />
<bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
<entry>
<key><value>memberOf</value></key>
<list>
<value>faculty</value>
<value>staff</value>
<value>org</value>
</list>
</entry>
</util:map>
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
<alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
<alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" />
<alias name="serviceThemeResolver" alias="themeResolver" />
<alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />
<alias name="defaultTicketRegistry" alias="ticketRegistry" />
<alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
<alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
<alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
<alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
<bean id="auditTrailManager"
class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
p:entrySeparator="${cas.audit.singleline.separator:|}"
p:useSingleLine="${cas.audit.singleline:false}"/>
<alias name="neverThrottle" alias="authenticationThrottle" />
<util:list id="monitorsList">
<ref bean="memoryMonitor" />
<ref bean="sessionMonitor" />
</util:list>
<alias name="defaultPrincipalFactory" alias="principalFactory" />
<alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
<alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
<alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
</beans>
===============
CAS.LOG
===============
2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null]
2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null]
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling error PASSWORD_MUST_CHANGE
2018-03-13 15:12:52,116 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating user1@*****.com
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler exception details: null
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [AuthenticationTransaction] for audit
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [UsernamePasswordCredential] for audit
2018-03-13 15:12:52,116 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user1@*****.com
WHAT: Supplied credentials: [user1@*****.com]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Mar 13 15:12:52 UTC 2018
CLIENT IP ADDRESS: 192.168.0.152
SERVER IP ADDRESS: 192.168.0.11
=============================================================