search cancel

Error : 400 - 401 Web Agent reverse proxy bad request

book

Article ID: 228515

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent, often it returns to browser 400 bad request
or 401 unauthorized messages.

 

Cause

 

The Web Agent authenticate the user and authorize it, but the backend
server sends the error 400 and 401 :

fiddler.saz :

Line 9 :

POST https://myproxy.mydomain.com/siteminderagent/forms/login.fcc
user=myuser&password=mypassword&target=https%3A%2F%2Fmyproxy.mydomain.com%2FmyApp%2Fmylogin

  HTTP/1.1 302 Found
  Date: Tue, 26 Oct 2021 14:59:10 GMT
  Server: Apache
  Location: https://myproxy.mydomain.com/myApp/mylogin

Line 10 :

GET https://myproxy.mydomain.com/myApp/mylogin

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:11 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  WWW-Authenticate: Basic realm=""
  SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]  path=/; domain=.mydomain.com

Line 11 :

GET https://myproxy.mydomain.com/myApp/mylogin
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]
  
  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:13 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgoniQQ1B [...]

access.log :
  
  10.147.180.221 - myuser [26/Oct/2021:16:59:11 +0200] "GET
  /myApp/mylogin HTTP/1.1" 401 - 1076193

error.log :
  
  [Tue Oct 26 16:59:08.274164 2021] [proxy_http:error] [pid 85043:tid 139874367616768]
  (70007)The timeout specified has expired: [client 10.0.0.1:51157] AH02608:
  read request body failed to 10.0.0.2:7815 (myotherserver.mydomain.com) from 10.0.0.1 ()
  
  [26/Oct/2021:16:59:57] [Information] SiteMinder Agent
          SiteMinder agent is enabled.
  [26/Oct/2021:16:59:57] [Information] SiteMinder Agent
          Configuration file path:
          '/opt/CA/webagent/conf/.WebAgent.conf'.

webagent1.log :

  [131341/2751461120][Tue Oct 26 2021 17:04:25][CSmHttpPlugin.cpp:2332][WARNING]
  [sm-HTTPAgent-00190] Unable to process SMSESSION cookie.
          
webagent2.log :
          
  [85043/218044160][Tue Oct 26 2021 17:05:15][CSmHttpPlugin.cpp:2332][WARNING]
  [sm-HTTPAgent-00190] Unable to process SMSESSION cookie.          
  


Looking at other 401 errors, the server Microsoft-HTTPAPI/2.0 returns
the error code 401 :

Line 19 :

GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:14 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  WWW-Authenticate: Basic realm=""

Line 20 :

GET https://myproxy.mydomain.com/myApp/myimages/myimage1.gif
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 401 Unauthorized
  Date: Tue, 26 Oct 2021 14:59:15 GMT
  Server: Microsoft-HTTPAPI/2.0
  WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAVgo [...]

About the error 400, the server Microsoft-HTTPAPI/2.0 returns the
error too :

Line 52 :

GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 400 Bad Request
  Date: Tue, 26 Oct 2021 14:59:18 GMT
  Server: Microsoft-HTTPAPI/2.0
  Content-Length: 0
  Connection: close

Line 53 :

GET https://myproxy.mydomain.com/myApp/myapi
SMSESSION=Zes/dwsq+1kWqEHJKrewzC2aBXopBBd [...]

  HTTP/1.1 400 Bad Request
  Date: Tue, 26 Oct 2021 14:59:18 GMT
  Server: Microsoft-HTTPAPI/2.0

 

 

Environment

 

  Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 7;
  Policy Server 12.8 on RedHat 7;

  Web Agent proxy url: https://myproxy.mydomain.com/myApp/  
  Application url: https://mybackend.mydomain.com/myApp/

 

Resolution

 

- Investigate the Server Microsoft-HTTPAPI/2.0 and its application the
  reason of requesting additional Windows Authentication, and why it
  sends bad request 400 error to fix this issue;