Password change rejected behavior in a custom login page

I have a custom login page in an access policy. When a user's password has expired, they're prompted to change it. If they attempt to use a previous password, the AD module fails and the login page is reset. The $errorcode variable is 1000, which is generic and doesn't tell me that the password failed due to reuse. Is there anything I can do to inform the user of this? I would like to display a message on the login page if I could. session.ad.last.errmsg is "Password change rejected(4), result string: (4)" which isn't the most user friendly error message. I did some digging and it seems that the "4" probably refers to KRB5_KPASSWD_SOFTERROR, which is "request fails due to a 'soft' error in processing the request".

Is there an event in an iRule I could handle? I looked at HTTP_RESPONSE yesterday, but isn't the whole page built by then? I tried setting session.logon.page.challenge to 1 if "Password change rejected" was found in session.ad.last.errmsg in both the HTTP_RESPONSE and HTTP_REQUEST_DATA events in an iRule, which worked, but the login page's $challenge variable is 0, so I'm assuming it was too late in the event lifecycle.

I could look for "Password change rejected" in my login page PHP, but session variables are evaluated too late to change how the page is displayed.

Running out of ideas. Anyone out there have other ideas for me?

Thanks in advance!