diff --git a/internal/outpost/flow/executor.go b/internal/outpost/flow/executor.go
index d62fdc8af..778464a9b 100644
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@@ -213,7 +213,7 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
 
 	switch ch.GetComponent() {
 	case string(StageAccessDenied):
-		return false, errors.New("got ak-stage-access-denied")
+		return false, nil
 	}
 	if ch.GetType() == "redirect" {
 		return true, nil
diff --git a/internal/outpost/ldap/bind/direct/direct.go b/internal/outpost/ldap/bind/direct/direct.go
index f4a95aa58..db8a7e7b0 100644
--- a/internal/outpost/ldap/bind/direct/direct.go
+++ b/internal/outpost/ldap/bind/direct/direct.go
@@ -70,6 +70,16 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		Session: fe.GetSession(),
 	}
 	db.si.SetFlags(req.BindDN, flags)
+	if err != nil {
+		metrics.RequestsRejected.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "flow_error",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
+		req.Log().WithError(err).Warning("failed to execute flow")
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
 	if !passed {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
@@ -80,16 +90,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
-	if err != nil {
-		metrics.RequestsRejected.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "flow_error",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
-		req.Log().WithError(err).Warning("failed to execute flow")
-		return ldap.LDAPResultOperationsError, nil
-	}
 
 	access, err := fe.CheckApplicationAccess(db.si.GetAppSlug())
 	if !access {