Error : 400 - 401 Web Agent reverse proxy bad request
Article ID: 228515
Updated On:
Products
SITEMINDER
CA Single Sign On Agents (SiteMinder)
Issue/Introduction
When running a Web Agent, often it returns to browser 400 bad request
or 401 unauthorized messages.
Cause
The Web Agent authenticate the user and authorize it, but the backend
server sends the error 400 and 401 :
fiddler.saz :
Line 9 :
POST https://myproxy.mydomain.com/siteminderagent/forms/login.fcc
user=myuser&password=mypassword&target=https%3A%2F%2Fmyproxy.mydomain.com%2FmyApp%2Fmylogin
HTTP/1.1 302 Found
Date: Tue, 26 Oct 2021 14:59:10 GMT
Server: Apache
Location: https://myproxy.mydomain.com/myApp/mylogin
Line 10 :
GET https://myproxy.mydomain.com/myApp/mylogin
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:11 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...] path=/; domain=.mydomain.com
Line 11 :
GET https://myproxy.mydomain.com/myApp/mylogin
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:13 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgoniQQ1B [...]
access.log :
10.147.180.221 - myuser [26/Oct/2021:16:59:11 +0200] "GET
/myApp/mylogin HTTP/1.1" 401 - 1076193
error.log :
[Tue Oct 26 16:59:08.274164 2021] [proxy_http:error] [pid 85043:tid 139874367616768]
(70007)The timeout specified has expired: [client 10.0.0.1:51157] AH02608:
read request body failed to 10.0.0.2:7815 (myotherserver.mydomain.com) from 10.0.0.1 ()
[26/Oct/2021:16:59:57] [Information] SiteMinder Agent
SiteMinder agent is enabled.
[26/Oct/2021:16:59:57] [Information] SiteMinder Agent
Configuration file path:
'/opt/CA/webagent/conf/.WebAgent.conf'.
webagent1.log :
[131341/2751461120][Tue Oct 26 2021 17:04:25][CSmHttpPlugin.cpp:2332][WARNING]
[sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
webagent2.log :
[85043/218044160][Tue Oct 26 2021 17:05:15][CSmHttpPlugin.cpp:2332][WARNING]
[sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
Looking at other 401 errors, the server Microsoft-HTTPAPI/2.0 returns
the error code 401 :
Line 19 :
GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:14 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
Line 20 :
GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:15 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgo [...]
About the error 400, the server Microsoft-HTTPAPI/2.0 returns the
error too :
Line 52 :
GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 400 Bad Request
Date: Tue, 26 Oct 2021 14:59:18 GMT
Server: Microsoft-HTTPAPI/2.0
Content-Length: 0
Connection: close
Line 53 :
GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 400 Bad Request
Date: Tue, 26 Oct 2021 14:59:18 GMT
Server: Microsoft-HTTPAPI/2.0
Environment
Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 7;
Policy Server 12.8 on RedHat 7;
Web Agent proxy url: https://myproxy.mydomain.com/myApp/
Application url: https://mybackend.mydomain.com/myApp/
Resolution
- Investigate the Server Microsoft-HTTPAPI/2.0 and its application the
reason of requesting additional Windows Authentication, and why it
sends bad request 400 error to fix this issue;
Feedback
Yes
No
Powered by
