The status codes from -1 downwards match the Error Codes above.
1000 The credentials were invalid General-purpose failure due to invalid username or password, when a more specific status is unavailable.
1002 The user failed the Windows Group Check
The IAS Plug-In rejected an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, reject others.
Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy.
1004 The challenge has expired A response to challenge has been given, but the expiration time for the challenge has expired. The default expiration time is one minute, however this can be configured in the
configuration file VASCO/AAL3/Authlib/Challenge-Cache/Max-Age setting (in seconds).
1005 The user does not have permission to perform the specified action
General-purpose failure of an administration command when the administrator does not have sufficient privileges to carry out the command.
1007 The user account is locked The Digipass User Account is Locked. This is normally due to consecutive login failures, as determined by the Policy setting User Lock Threshold. Alternatively the administrator can actively lock the account.
To unlock the User account, an administrator has to uncheck the Locked checkbox on the User record.
1008 The One Time Password has already been used
This status code occurs specifically when an OTP is rejected because it has already been used. It may also occur when the OTP has not been used but is older than the most recently used OTP.
This can sometimes happen when an authentication request is re-sent automatically.
1009 The user account is disabled The Digipass User Account is Disabled. This may be because the administrator has actively disabled the account, or because the corresponding Windows User account has become disabled or expired.
1010 No user account was found An authentication request was rejected because no Digipass User account was found and Local Authentication is required by the Policy.
1011 The static password was incorrect As part of Local Authentication, verification of the static password failed.
Digipass Plug-In for IAS Administrator Reference Error and Status Codes
Status Code
Message Notes
1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be found in the VACMAN Controller error code and message.
1013 The challenge was invalid A response to a challenge was given, but the challenge was not the latest one issued for that Digipass. This is controlled by the Check Challenge Policy setting.
1014 The Digipass Grace Period has expired A User attempted to log in with their static password, but their Grace Period had already expired. They have to use a Digipass to log in.
If they do not have their Digipass yet, the administrator will have to allow them more time by modifying the Grace Period End date on their Digipass record.
1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass OTP, but they were not permitted. This would normally occur when either:
The effective Backup VDP Enabled setting is Yes – Time Limited, and the Digipass Backup VDP Enabled Until date is the current date or before.
The Digipass Backup VDP Uses Remaining counter has reached 0.
In both cases, administrator intervention is required to permit the User to continue to use Backup Virtual Digipass. The Enabled Until or Uses Remaining limits need to be increased to permit this.
Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass record overrides the Policy.
1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass they requested either could not be found within the search scope or was already assigned to someone else.
This may occur because of a mistyped Serial Number.
Otherwise, the search scope may be incorrect or the Digipass may not be in the correct location to be made available to the User. See the Location of Digipass Records section in the Product Guide.
1017 The user account has no mobile number for Virtual Digipass
A User requested a Primary or Backup Virtual Digipass OTP, but it could not be delivered because the User account had no mobile phone number. In Active Directory this is the first Mobile No. on the record.
1018 No password was supplied for a Virtual Digipass login
A User attempted a Virtual Digipass login, but did not enter a password in the second stage of the login. See 9.1.4 Virtual Digipass for more information.
1020 Local authentication failed General-purpose failure of Local Authentication when a more specific status code is not available. Additional information should provide more specific details.
1021 Back-end authentication reported that the password has expired
Back-End Authentication (eg. Windows) failed because the password was correct but it has expired.
1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific error code and message will accompany this record.
1030 The policy was invalid An authentication request was rejected because the applicable Policy had invalid settings or failed to load. This should not occur, but is possible due to the delay in Active Directory replication for example. The two main ways in which a Policy can become invalid are:
One or more choice list settings are Default in the Policy,
Digipass Plug-In for IAS Administrator Reference Error and Status Codes
Status Code
Message Notes
Policy A inherits from Policy B; Policy B inherits from Policy C; Policy C inherits from Policy A.
The Policy must be fixed in order for authentication to be permitted using that Policy.
1031 The policy does not allow a self-assignment attempt
A User attempted Self-Assignment, but it is not permitted under the Policy.
1032 Hashed passwords cannot be verified by Windows
An authentication request could not be processed successfully because Back-End Authentication using Windows was required, but the User's password was hashed. It is not possible to verify hashed passwords with Windows. This can occur when a CHAP-based protocol is used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols that utilize a one-way hash of the password entered by the User.
Note that the effective Back-End Authentication setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy.
1033 A Digipass must be used The effective Local Authentication setting is Digipass Only and the User tried to log in with a static password.
Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy.
1034 Challenge/Response is not supported by CHAP-based protocols
Challenge/Response is only supported in RADIUS using the PAP protocol. An attempt was made to generate a challenge using a CHAP-based protocol – this includes CHAP, CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols.
1035 Challenge/Response is not supported by Windows 2000
This status code can only occur in the Digipass Plug-In for IAS.
There is a product limitation on Windows 2000 only that Challenge/Response is not supported. It will occur if the User attempted to request a challenge.
3001 A Digipass Challenge was returned This status code is the standard code when a challenge is issued and does not indicate any kind of error.
5001 The user failed the Windows Group Check
The IAS Plug-In decided not to handle an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, pass others through.
In this case, IAS will process the request itself using other authentication methods.
Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy.
5002 Neither local nor back-end
authentication was done due to policy and/or user settings
The IAS Plug-In decided not to handle an authentication request because the effective Local Authentication and Back-End Authentication settings were both None.
In this case, IAS will process the request itself using other authentication methods.
Note that the 'effective' settings are the effective settings of the Policy, unless the Digipass User Account overrides the Policy.
Table 41: Status Code List
Digipass Plug-In for IAS Administrator Reference Technical Support