HTTPs endpoint alias web service call with load balancing

F_T · April 29, 2014, 8:29pm

Hi I’m trying to configure an https web service call between two IS and a load balancer.

The way it is setup is that server A and B are providers for a given web service. Server C is running code to consume the webservice.

I have setup a user through central user management that belongs to a security group.
I created an ACL on both server A and B and have included the groups into those ACLs.
I have given security permissions for execute on the web service provider.
For an initial test, we have setup an https endpoint alias on server C to point to server A (and another test with B). All certificates are configured and the new user is used.

→ When invoked, everything works perfectly

I switch the endpoint alias to the load balancing server URL

→ When invoked, I get the following error :

[ISC.0064.9314] Authorization Required: [ISS.0084.9001] Invalid credentials

I have tried changing the user to Administrator but get the same result.

I am suspecting that the load balancer is not simply doing a passthrough to the IS servers behind. There seems to be a piece of the puzzle missing but I can’t figure quite what it is.

Any ideas out there?

Thanks.
F.

rmg · April 29, 2014, 9:27pm

Are the 2 Internal IS’s in clustered configuration with all same configuration and ACL’s (assuming both servers jdbc pool pointed to the same user/db)?

HTH,
RMG

Tong_Wang · April 29, 2014, 9:35pm

when you see the [ISS.0084.9001] Invalid credentials error on C, do you see anything similar error on either A or B?
If not, most likely the LB is trying to authenticate the client.
Check with your LB guy.

rmg · April 29, 2014, 9:48pm

Also what is the ACL on the WSD’s for Read and ExecuteACL?? Can you change it to Anonymous and try it again:

HTH,
RMG

F_T · April 29, 2014, 10:01pm

Hi Guys, thanks for your answers.

Yes, both internal IS are pointing to the same user db.
I’m not seeing any logs (error, server, etc. on servers A or B which seems to indicate that the LB is not behaving as expected.
ACLs on Read is set to Anonymous, I changed the Execute to Anonymous as well but get the same error.

This is really looking like a LB configuration issue. I’ll have to follow-up on that.

Is there a way to configure the LB so that it does not to try to authenticate the client and simply pass the request to the servers behind?