LJ I think that disabled means disabled. It doesn't mean anything else. :)
You make a good point about the error message, but that's easy to solve - re-use the existing user/password error. But actually, I think it's fairly well accepted that it's safe to tell a user their account is disabled [and please call the service desk]. Once upon a time, I saw a flow chart of all the possible combinations of AR System authentication. The BMC chap presenting it had about four slides of spider diagrams. I suspect the real reason that it's hard to add an if statement is the code for authentication has morphed into something no-one ever wants to touch, with all the edge cases you discuss (guest users, etc). But there's a good solution - remove it all, remove the legacy features, remove chaining, and implement AREA or AR System. I'm not even sure I'd allow "guest users" to persist, but there are a couple of SSO Plugin customers who use it. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
