We are using Weblogic Server 10.3.5 (oracle Weblogic 11g) with 22.214.171.124 version framework. Our application is an protal framework applicaton written in jdeveloper 126.96.36.199. We are using basic authentication with a global application role defined in the domain. NTLogin is passed by IE 8 to app server and it queries the Acitive Directory if the user is eligible to view the page (no explicit login page for this app). Intermittently for no reason a user will get prompted for login (a message box with "this webserver xxx needs username and password" kind of pop-up) and even if user enters his NTlogin credenitals it will not accept it and user gets a 401 unauthorized. Only way to get out of it kill all the browsers, clear the cache and relaunch the app. Nothing in the server logs indicates where the failure is occurring. (it will show entry for 401 after the failure.) Application is SSL enabled traffic. It can not be AD credenitals failure because user is using the application few minutes before. Is it possible that WLAuthcookie_sessionID is lost or expired for any reason? how do I find out whether it is browser not passing the right info or what if any is being passed incorrectly? We are totally new to weblogic world. I am going through Admin server logs/managed server logs/Access.log. I set SecurityATN to debug mode so I see lot of traffic but still i don't see an explicit failure cause. (We have 7000 users so it is so hard to look for one failure). Problem is so intermittent but happens enough times for the users to give us a bad reputation. Desperately looking for some ideas. thanks
you can enable debug http and check the application server logs. Also capture the http headers using any tool , iehttpheaders, fiddler.
Do you have a loadbalancer infront of weblogic server? how do u process ntlm token? can u please share all these details
Thanks so much for prompt reply.
We have enabled HTTP access log enabled on the console. I do see separate access.log files produced for all the requests but all those entries tell me is that there was a 401 for a specific user machine IP but it is not telling me the root cause. (we currently set the log level to NOTICE level. Servers folks complained about excessive logging when set at DEBUG mode previously. I can request for DEBUG mode again if that helps)
I have captured the HTTP headers in Fiddler but because this problem happens so intermittently I was only able to capture good request and bad request only twice so far. (I can not really run Fiddler for other users and it only happend to me once or twice). I really can not tell the difference regarding what is missing. I can see that they are 4 cookies in both cases. (WL_Authcookie_jSessionID-Myappname, BIGipServerMYAPPNAME_HTTPS, JSESSIONID_MYappname, knotice_t). Two bad requests I have, one has all the 4 cookies and in the other I see WL_Authcookie_jSessionID-Myappname is missing. So there is no pattern that I can detect.
yes, We do use Load balancer infront of weblogic servers. I tweaked NTLM connection pooling setting recently basedon the advice of network folks (I am not sure how it processes NTLM token behind the scenes). We use Kerberos authentication (app server making the request to LDAP server). I have checked Kerberos ticket that is set to 10 hrs expiration timeout. I set my Kerberos logging to DEBUG mode and watching SecurityATN logs to see if it is Kerberos authentication that is failing. There is no "authorization denied" in the logs. Here too, because we use single signon, single service account first logs into LDAP (this always succeeds as I can see an entry in the logs). But it makes subsequent query for individual userID (if successful I see the LDAP groups it brings back for some users, if failure I don't see any results entry in the logs). Here too I am at a loss because it is not consistent for each user.
I am still unsure if it the browser not sending the right cookies or kerberos ticket authentication is failing, or the LDAP calls are failing. Hope that explains a bit better.
I have checked the Headers and Auth value in the Fiddler much closely. Majority of the time Browser is sending data as Negotiate. (which is understandable considering that we are using Kerberos authentication). At least once or twice I have seen Browser sending Basic Authentication. NOt sure what causes the browser to switch the type of authentication but when I look at the Basic Authenticate string, I parsed it and it DOES have the correct username/password credentials. BUt when Basic credentials are passed system failed to authenticate and kept prmopting for the userID. I am still struggling to understand why the failure (or the cause) is not logged on Weblogic server anywhere even though I set every log level in debugmode.