In order to allow users to handle other AD specific error codes we should expose this information to them.
I have to raise that this is issue as a bug because ActiveDirectoryLdapAuthenticationProvider is a final class which make me can not extend to write my own version to pass through the problem.
In more details, in the 'bindAsUser' function, if a user log in with an account with PASSWORD_NEEDS_RESET status (very common situation), they will receive a misleading exception ("BadCredentialsException"). Having a close look at the handleBindException,Spring Security only tries to translate some of the exception messages to real exceptions. In other cases, it reports a normal BadCredentialsException without any message codes. Therefore, it would be great if on the next release, someone can change ActiveDirectoryLdapAuthenticationProvider to a normal public class or just add new exception type to catch PASSWORD_NEEDS_RESET.