Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Enumeration in Login Facility



The web application returned different responses when a valid and invalid username was submitted through the login form.

By means of username guessing techniques or an automated username brute-force script an attacker can gain a list of valid users for the application, meaning they only then require a password to gain unauthorized access.

The login page identified was susceptible to username enumeration, providing a different permissive error response when a valid username was used.

User is on SSO login screen.

Error Messages

"Error authenticating testuser: This user must use external authentication".

Steps to Reproduce

The application uses external authentication:

1. Enter an invalid operator name and password on login screen. The error says "The information you entered was not recognized".
3. Enter a valid operator Id, that is, external authentication box ticket on operator id record) testuser & invalid password.
The error says "Error authenticating testuser: This user must use external authentication".

Root Cause

A defect in Pegasystems’ code or rules.


Apply HFix-33378.

Published April 25, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us