This content has been marked as final. Show 3 replies
Thanks so much for prompt reply.
We have enabled HTTP access log enabled on the console. I do see separate access.log files produced for all the requests but all those entries tell me is that there was a 401 for a specific user machine IP but it is not telling me the root cause. (we currently set the log level to NOTICE level. Servers folks complained about excessive logging when set at DEBUG mode previously. I can request for DEBUG mode again if that helps)
I have captured the HTTP headers in Fiddler but because this problem happens so intermittently I was only able to capture good request and bad request only twice so far. (I can not really run Fiddler for other users and it only happend to me once or twice). I really can not tell the difference regarding what is missing. I can see that they are 4 cookies in both cases. (WL_Authcookie_jSessionID-Myappname, BIGipServerMYAPPNAME_HTTPS, JSESSIONID_MYappname, knotice_t). Two bad requests I have, one has all the 4 cookies and in the other I see WL_Authcookie_jSessionID-Myappname is missing. So there is no pattern that I can detect.
yes, We do use Load balancer infront of weblogic servers. I tweaked NTLM connection pooling setting recently basedon the advice of network folks (I am not sure how it processes NTLM token behind the scenes). We use Kerberos authentication (app server making the request to LDAP server). I have checked Kerberos ticket that is set to 10 hrs expiration timeout. I set my Kerberos logging to DEBUG mode and watching SecurityATN logs to see if it is Kerberos authentication that is failing. There is no "authorization denied" in the logs. Here too, because we use single signon, single service account first logs into LDAP (this always succeeds as I can see an entry in the logs). But it makes subsequent query for individual userID (if successful I see the LDAP groups it brings back for some users, if failure I don't see any results entry in the logs). Here too I am at a loss because it is not consistent for each user.
I am still unsure if it the browser not sending the right cookies or kerberos ticket authentication is failing, or the LDAP calls are failing. Hope that explains a bit better.
I have checked the Headers and Auth value in the Fiddler much closely. Majority of the time Browser is sending data as Negotiate. (which is understandable considering that we are using Kerberos authentication). At least once or twice I have seen Browser sending Basic Authentication. NOt sure what causes the browser to switch the type of authentication but when I look at the Basic Authenticate string, I parsed it and it DOES have the correct username/password credentials. BUt when Basic credentials are passed system failed to authenticate and kept prmopting for the userID. I am still struggling to understand why the failure (or the cause) is not logged on Weblogic server anywhere even though I set every log level in debugmode.