Forum Discussion

ktm_2000's avatar
Icon for Altostratus rankAltostratus
Nov 14, 2023

Customizing logon error messages


I've putting a MFA logon process and am trying to figure out how to customize the error messages a person sees when they are inputting OTP values.   

I started off with the default workflow AD Query auth by OTP email and resources template.    I setup the workflow and tested it out and it works great creating,  emailing and validating an OTP response.       Me being a results oriented person thought it was GREAT as it seems to work flawlessly.   

I am obviously ill informed as my QA team determined it was a show stopper failure because if you enter the wrong response you get back "Incorrect username or password" and the error message has nothing to do with the entry of the OTP response.   Their thoughts were that our customers would think they put in the wrong PW at the first logon screen and that the OTP response was fine,  thus would generate a service call.

I logged onto the site here today and used email as my OTP and intentionally entered the wrong OTP code and it came back with an entry stating that the value didn't match records.   It seems like messages can be customized and I've found videos on where to go look under general customization and AAA Errors.

I've been tearing through the customization and found under my policy and error message\AAA Errors there is an entry which corresponds with the message  "Incorrect username or password" but it seems to me that it is also the error message when you enter an incorrect PW.    I quickly tested and if I modify the message under AAA errors,   it impacts regular logon screens as well as the OTP response.

I have looked at the advanced customization code for the logon screen and there are references there to error code numbers but there is nothing that maps out to which AAA error message which would be displayed,  so I am at a loss as to how specific messages are called via the code.

I am looking for the easiest way to customize this,  how can I put a specific error code message for that logon screen and only that logon screen?

thanks in advance

3 Replies

  • This configuration does apply to the whole access policy, so you'll have to get creative if you want the message to be different for different logon agents.

    One way might be to use session variables. See how some of the message text boxes have stuff like %{session.whatever}? Those are APM session variables that you can write any data you want into. So write some text to a session variable right before your logon page agent, in a "variable assign", like this:

    Then use that session variable in the text response customization, like this:


    This way you can re-assign any text you like to that variable depending on your context.


  • so I interpreted your post as look at the session variables for a user after they put in an incorrect OTP response.

    so I did a test,  logged in with PW correct,  then put in incorrect OTP response and then checked session variables.    I see as 1000 and session.otp.verify.last.errmsg as OTP_Mismatch.

    I have been looking throughout the advanced customization code and cannot find any references to error code 1000.      I also find no code relating to OTP_Mismatch.

    I get the concept that you are mentioning here get the error, set it to something different via session variables and get a different result.     My problem here is that how would one know what error codes relate to?    If you go under basic customization,  there are error codes and the text associated with them.    The key thing is that the error codes are text and not number based,   there is no visible column which relates the text to a number.

    I'm guessing that this forum is protected by a F5 and that if you put in your PW wrong,  you get one message,   if you then put in your OTP wrong you get another message.   So the results I am looking for have to be possible.       Is there a way to talk with the person(s) who setup the logon policy to understand how they got around having different error messages for each use case?

  • Ah ok great sleuthing, sounds like you found the variable that contains your error: session.otp.verify.last.errmsg

    So, all you have to do is set the text to be "Invalid Login. OTP error: %{session.otp.verify.last.errmsg}", and then when APM displays the error to the user, it will be dynamically generated from the authentication agent.