We're running a Policy Server to serve a SDK Custom Authentication Scheme and when users try to authenticate, the Custom Authentication Scheme fails.

There is nothing in the Policy Server trace pointing to the Custom Authentication Scheme failing.

How can we investigate such issue? 

Using the SDK Custom Authentication Scheme template, when logon is successful, policy server reports 2 lines of code when doing the authentication :
 
  SmDsUser.cpp:239 returns 1
  SmAuthUser.cpp:957 returns 0

and when authentication fails due to a bad password, we get 

  SmDsUser.cpp:239 returns 0
  SmAuthUser.cpp:957 returns -1

Enable full Policy Server traces (Profiler) and set debug code in the Custom Authentication Scheme in order to understand why the user is not able to get authenticated by the Custom Authentication Scheme.

The Full policy server template in addition to the custom Auth scheme trace will provide the needed details to understand where the transaction is failing.

Below is a sample of full policy server trace template.

components: AgentFunc, Server, IsProtected, Login_Logout, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC, LDAP, IdentityMinder, TXM, Fed_Server, DLP
data: Date, Time, PreciseTime, ResponseTime, Throughput, MaxThroughput, MinThroughput, SessionID, Pid, Tid, TransactionID, TransactionName, ObjectClass, Action, DomainOID, SearchKey, CertDistPt, CertSerial, SubjectDN, IssuerDN, RequestIPAddr, SrcFile, Function, AgentName, AgentType, Resource, Domain, Realm, Policy, AuthScheme, AuthReason, AuthStatus, Rule, Directory, Group, User, UserDN, IPAddr, IPPort, Expression, Result, Returns, ReturnValue, ErrorValue, ErrorString, ActiveExpr, CallDetail, Query, Data, ObjectOID, Property, RealmOID, State, RefCount, Message, ClusterID, CacheHits, CacheSize, ExecutionTime, SessionSpec, HandleCount, FreeHandleCount, BusyHandleCount, Threshold
version: 1.1