Error : 400 - 401 Web Agent reverse proxy bad request
Article ID: 228515
Updated On:
Products
SITEMINDER
CA Single Sign On Agents (SiteMinder)
Issue/Introduction
When running a Web Agent, often it returns to browser 400 bad request
or 401 unauthorized messages.
Environment
Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 7;
Policy Server 12.8 on RedHat 7;
Web Agent proxy url: https://myproxy.mydomain.com/myApp/
Application url: https://mybackend.mydomain.com/myApp/
Cause
The Web Agent authenticate the user and authorize it, but the backend
server sends the error 400 and 401 :
fiddler.saz :
Line 9 :
POST https://myproxy.mydomain.com/siteminderagent/forms/login.fcc
user=myuser&password=mypassword&target=https%3A%2F%2Fmyproxy.mydomain.com%2FmyApp%2Fmylogin
HTTP/1.1 302 Found
Date: Tue, 26 Oct 2021 14:59:10 GMT
Server: Apache
Location: https://myproxy.mydomain.com/myApp/mylogin
Line 10 :
GET https://myproxy.mydomain.com/myApp/mylogin
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:11 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...] path=/; domain=.mydomain.com
Line 11 :
GET https://myproxy.mydomain.com/myApp/mylogin
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:13 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgoniQQ1B [...]
access.log :
10.147.180.221 - myuser [26/Oct/2021:16:59:11 +0200] "GET
/myApp/mylogin HTTP/1.1" 401 - 1076193
error.log :
[Tue Oct 26 16:59:08.274164 2021] [proxy_http:error] [pid 85043:tid 139874367616768]
(70007)The timeout specified has expired: [client 10.0.0.1:51157] AH02608:
read request body failed to 10.0.0.2:7815 (myotherserver.mydomain.com) from 10.0.0.1 ()
[26/Oct/2021:16:59:57] [Information] SiteMinder Agent
SiteMinder agent is enabled.
[26/Oct/2021:16:59:57] [Information] SiteMinder Agent
Configuration file path:
'/opt/CA/webagent/conf/.WebAgent.conf'.
webagent1.log :
[131341/2751461120][Tue Oct 26 2021 17:04:25][CSmHttpPlugin.cpp:2332][WARNING]
[sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
webagent2.log :
[85043/218044160][Tue Oct 26 2021 17:05:15][CSmHttpPlugin.cpp:2332][WARNING]
[sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
Looking at other 401 errors, the server Microsoft-HTTPAPI/2.0 returns
the error code 401 :
Line 19 :
GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:14 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
Line 20 :
GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 401 Unauthorized
Date: Tue, 26 Oct 2021 14:59:15 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgo [...]
About the error 400, the server Microsoft-HTTPAPI/2.0 returns the
error too :
Line 52 :
GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 400 Bad Request
Date: Tue, 26 Oct 2021 14:59:18 GMT
Server: Microsoft-HTTPAPI/2.0
Content-Length: 0
Connection: close
Line 53 :
GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
HTTP/1.1 400 Bad Request
Date: Tue, 26 Oct 2021 14:59:18 GMT
Server: Microsoft-HTTPAPI/2.0
Resolution
- Investigate the Server Microsoft-HTTPAPI/2.0 and its application the
reason of requesting additional Windows Authentication, and why it
sends bad request 400 error to fix this issue;
Feedback
Yes
No
Powered by
