Running a Policy Server and when this one cannot authenticate a user, the smauthreason is always set to 0 even if the User Store gives back the reason why the user cannot be authenticated:

smaccess.log:

    AuthReject <PolicyServer> [25/Jan/2021:11:32:16 +0100] "10.0.0.1 <user1>" "<app> GET /" [] [0] TSS7100E 001 J=<user1> A=xxxx T=EXAMPLE F=COM - Acid Suspended TSS7141E Use of Accessor ID Suspended [] []
    AuthReject <PolicyServer> [19/Jan/2021:10:42:13 +0100] "10.0.0.1 <user2>" "<app> GET /" [] [0] TSS7100E 007 J=<user2> A=xxxx T=EXAMPLE F=COM - Password Missing TSS7102E Password Missing [] []

    [...]
    
The User Directory has been configured as per documentation (1).

Why does the Policy Server always return the smAuthReason as 0?

TSS as User Store has some limitations.

As per documentation, integration of Siteminder with TSS doesn't allow the use of password services (2).

When looking at the smaccess log above, all messages are related to account state and password:

  Password Missing TSS7102E Password Missing
  Incorrect Password TSS7101E Password is Incorrect
  Password Violation Threshold Exceeded
  Password Has Expired. New Password Missing
  Password is Incorrect

  Incorrect Password TSS7101E Password is Incorrect TSS7100E Excessive
  PW Violations TSS7120E Password Violation Threshold Exceeded Acid
  Suspended TSS7141E Use of Accessor ID Suspended

The SmAuthReason = 0 means that the user needs to login. As out of the box Policy Server doesn't handle the different situation regarding the state of the account to redirect to password services (smpwservices.fcc), then this is as expected to see the smauthreason being 0.

The "failed authentication" is related to the password and as such the password services. Without password services, if the password is not the expected one, the only possible next step for the user is to come back to the login page. And this is what the product does out of the box.

The errors seen are related to password state (3).

1. Configure a CA LDAP Server for z/OS User Directory Connection
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html
   
   
2. CA LDAP Server for z/OS does not support the following features:
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html
   
   
3. TSS7141E
   https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os-messages/1-0/tss-messages/tss7100e-to-tss7199a/tss7141e.html