Application response codes, login events, and errors
Learn more about HTTP response codes and troubleshooting errors.
This topic describes some of the events, HTTP response codes, login events, and errors that users may encounter when attempting to access or use an application.
EAA administrators Create an application report or Create an SSH audit report in the EAA Management Portal. The application report includes the login event and error information provided in the tables below. To learn more, see Reports.
To learn more about troubleshooting in EAA, see Troubleshooting overview and tips.
HTTP response | Description | How to troubleshoot |
---|---|---|
400 Bad Request | The application server is unable to process the request. For example, this error may occur if the end user provides an incorrect URL for the application. | Create an application report and check the application server logs. |
400 Bad Request - Request Header or Cookie Too Large | HTTP Request Header or browser cookie exceeds the configured buffer value. This error can occur if the cookies are corrupted and need to be cleared from the end user’s browser. | Clear the browser history, cache, and storied cookies, then try again. Contact support and have them review the backend NGINX configuration. The NGINX configuration can be modified to support large request headers and cookies. |
401 Authorization Required | The end user has not properly authenticated to the application. | Make sure Single sign-on (SSO) authentication is configured for the application in the EAA Management Portal. |
403 Forbidden | The end user is not allowed to access the application. | Make sure the user access information matches the configured access rule in the EAA Management Portal. To learn more see Troubleshoot application access denied. |
404 Not Found | The URL in the request cannot be found or does not exist. | Check if request URL is available in origin server. |
405 Action failed- HTTP method not allowed | The action is not supported. | If you are trying to update an SSL certificate and receive this message, you will need to upload a new certificate to EAA. Updating a pre-existing certificate is not currently supported. To learn more see Certificate-based authentication in the IdP. |
413 Request Entity Too Large | The request is too large and the application server cannot process it. |
|
414 Request-URI Too Large | The Uniform Request Identifier (URI) in the request is too large. | Create an application report and examine the logs. |
492 User Access Forbidden | The user is not authorized to access the application. | Check the user group assignment for the application. See Troubleshoot application access denied. |
493 Unsupported Browser | The HTTP request does not contain Server Name Identification (SNI). | The browser did not send the Server Name Indication (SNI) extension as part of the TLS negotiation. Check if the browser version supports SNI or try a different browser. |
494 Request Header or Cookie Too Large | HTTP Request Header is bigger than configured buffer value. The default is 4K. |
|
500 Internal Server Error | There was an unexpected issue with the server. |
|
502 Bad Gateway | Generic error. |
|
502 Bad Gateway | If the hostname of the HTTPS application does not match the origin server certificate, you will get generic error. | Check the hostname you provided for the HTTPS application matches the certificate from the EAA Management Portal in | . It should match the value in the certificate.
503 Service Temporarily Unavailable | There was an unexpected issue with the server. | Contact support and ask them to check the error logs for the Data POP and connector. |
504 Gateway Timeout | Timeout issue that occurs with the server. |
|
540 Connectivity Disrupted | The connector does not have dial-out connections to either the data POP for the application or access to the directory. |
|
542 Internal Database Error | Data POP cannot reach the authentication database. | Contact support for checking the authentication database. |
543 IdP Communication Error | Data POP cannot reach IdP or directory service. | Contact support and have them:
|
544 Management Communication Error | Login/Authentication POP cannot reach mgmt login manager. | Contact support and have them:
|
545 Authentication Internal Error | Data POP cannot resolve/reach the authentication database. | Contact support and have them check the error logs in the data POP and connector, and the authentication database. |
546 Unknown Application | Login/Authentication POP does not have the application configuration. | Contact support and have them:
|
548 Invalid Response | Response received from the login server could not be validated via back-channel request from the Cloud proxy to the login server. | Contact support and have them:
|
549 Authentication Gateway Error | Login service cannot reach directories to complete the authentication process. | Contact support. To learn more see Troubleshoot error code: 549 Authentication Gateway Error. |
552 Application Unreachable | Application service is not reachable from connector. |
|
553 Directory Service Error | Directory service errors commonly occur during Kerberos authentication steps such as fetch TGT, perform constrained delegation, and fetch service ticket. Additional information is typically displayed along with this error. |
|
554 Authentication Token Error | Kerberos token is not accepted by application. |
|
555 Application does not support Kerberos | No negotiate option found in 401 challenge. | Check if Kerberos authentication is enabled in the application server. If not, either enable Kerberos on the application server or change application-facing authentication method from the EAA Management Portal in to the supported application-facing authentication method. To learn more see Troubleshoot access to a Kerberized application. See Troubleshoot access to a Kerberized application. |
556 Unexpected Authentication Challenge | 401 challenge on URI not configured as login URI. | |
557 KDC Unreachable | Connector cannot reach KDC for users domain. | Make sure at least one KDC is reachable in the customer data center. See Troubleshoot access to a Kerberized application. |
559 Connection Limit Stop: Service Concurrent Connections Exceeded | A user has established more than 50 websocket connections. | The number of websockets per users is limited to 50 to avoid attacks on the system. Contact support and ask them to perform back-end changes on the application. |
561 Invalid NTLM Challenge | Connector received invalid NTLM challenge from server | See Troubleshoot receiving a password prompt for every application link. |
562 Credential Error | Unable to encrypt or decrypt NTLM credentials. |
Login Event | Description |
---|---|
LOGIN | S | A log in was successful. |
LOGIN | F | 2 | A log in attempt failed because an invalid username was provided. |
MFA | MC | The user was prompted to enter their authentication code. |
MFA | MF | Multi-factor authentication failed or was unsuccessful. |
MFA | MR | The user registered for multi-factor authentication by configuring how they wanted to receive their authentication code. |
MFA | MD | Multi-factor authentication was done and completed successfully. |

Error | Description |
---|---|
invalid_user | Error that occurs when an end user attempts to log in with incorrect user credentials. |
unreachable | This may be seen under | when using LDAPs. This is a false positive due to a bug in the Microsoft environment. This was resolved by adding multiple health check calls instead of just one to declare that the directory is down.