HTTPs endpoint alias web service call with load balancing

Hi I’m trying to configure an https web service call between two IS and a load balancer.

The way it is setup is that server A and B are providers for a given web service. Server C is running code to consume the webservice.

  1. I have setup a user through central user management that belongs to a security group.
  2. I created an ACL on both server A and B and have included the groups into those ACLs.
  3. I have given security permissions for execute on the web service provider.
  4. For an initial test, we have setup an https endpoint alias on server C to point to server A (and another test with B). All certificates are configured and the new user is used.

–> When invoked, everything works perfectly

  1. I switch the endpoint alias to the load balancing server URL

–> When invoked, I get the following error :

[ISC.0064.9314] Authorization Required: [ISS.0084.9001] Invalid credentials

I have tried changing the user to Administrator but get the same result.

I am suspecting that the load balancer is not simply doing a passthrough to the IS servers behind. There seems to be a piece of the puzzle missing but I can’t figure quite what it is.

Any ideas out there?


Are the 2 Internal IS’s in clustered configuration with all same configuration and ACL’s (assuming both servers jdbc pool pointed to the same user/db)?


when you see the [ISS.0084.9001] Invalid credentials error on C, do you see anything similar error on either A or B?
If not, most likely the LB is trying to authenticate the client.
Check with your LB guy.

Also what is the ACL on the WSD’s for Read and ExecuteACL?? Can you change it to Anonymous and try it again:


Hi Guys, thanks for your answers.

  1. Yes, both internal IS are pointing to the same user db.
  2. I’m not seeing any logs (error, server, etc. on servers A or B which seems to indicate that the LB is not behaving as expected.
  3. ACLs on Read is set to Anonymous, I changed the Execute to Anonymous as well but get the same error.

This is really looking like a LB configuration issue. I’ll have to follow-up on that.

Is there a way to configure the LB so that it does not to try to authenticate the client and simply pass the request to the servers behind?