search cancel

Error : 400 - 401 Web Agent reverse proxy bad request

book

Article ID: 228515

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent, often it returns to browser 400 bad request
or 401 unauthorized messages.

 

Environment

 

  Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 7;
  Policy Server 12.8 on RedHat 7;

  Web Agent proxy url: https://myproxy.mydomain.com/myApp/  
  Application url: https://mybackend.mydomain.com/myApp/

 

Cause

 

The Web Agent authenticate the user and authorize it, but the backend
server sends the error 400 and 401 :

fiddler.saz :

Line 9 :

POST https://myproxy.mydomain.com/siteminderagent/forms/login.fcc
user=myuser&password=mypassword&target=https%3A%2F%2Fmyproxy.mydomain.com%2FmyApp%2Fmylogin

  HTTP/1.1 302 Found
  Date: Tue, 26 Oct 2021 14:59:10 GMT
  Server: Apache
  Location: https://myproxy.mydomain.com/myApp/mylogin

Line 10 :

GET https://myproxy.mydomain.com/myApp/mylogin

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:11 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  WWW-Authenticate: Basic realm=""
  SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]  path=/; domain=.mydomain.com

Line 11 :

GET https://myproxy.mydomain.com/myApp/mylogin
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
  
  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:13 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgoniQQ1B [...]

access.log :
  
  10.147.180.221 - myuser [26/Oct/2021:16:59:11 +0200] "GET
  /myApp/mylogin HTTP/1.1" 401 - 1076193

error.log :
  
  [Tue Oct 26 16:59:08.274164 2021] [proxy_http:error] [pid 85043:tid 139874367616768]
  (70007)The timeout specified has expired: [client 10.0.0.1:51157] AH02608:
  read request body failed to 10.0.0.2:7815 (myotherserver.mydomain.com) from 10.0.0.1 ()
  
  [26/Oct/2021:16:59:57] [Information] SiteMinder Agent
          SiteMinder agent is enabled.
  [26/Oct/2021:16:59:57] [Information] SiteMinder Agent
          Configuration file path:
          '/opt/CA/webagent/conf/.WebAgent.conf'.

webagent1.log :

  [131341/2751461120][Tue Oct 26 2021 17:04:25][CSmHttpPlugin.cpp:2332][WARNING]
  [sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
          
webagent2.log :
          
  [85043/218044160][Tue Oct 26 2021 17:05:15][CSmHttpPlugin.cpp:2332][WARNING]
  [sm-HTTPAgent-00190] Unable to process SMSESSION cookie.          
  


Looking at other 401 errors, the server Microsoft-HTTPAPI/2.0 returns
the error code 401 :

Line 19 :

GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:14 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  WWW-Authenticate: Basic realm=""

Line 20 :

GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:15 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgo [...]

About the error 400, the server Microsoft-HTTPAPI/2.0 returns the
error too :

Line 52 :

GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 400 Bad Request
  Date: Tue, 26 Oct 2021 14:59:18 GMT
  Server: Microsoft-HTTPAPI/2.0
  Content-Length: 0
  Connection: close

Line 53 :

GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 400 Bad Request
  Date: Tue, 26 Oct 2021 14:59:18 GMT
  Server: Microsoft-HTTPAPI/2.0

 

 

Resolution

 

- Investigate the Server Microsoft-HTTPAPI/2.0 and its application the
  reason of requesting additional Windows Authentication, and why it
  sends bad request 400 error to fix this issue;