Application response codes, login events, and errors

Learn more about HTTP response codes and troubleshooting errors.

This topic describes some of the events, HTTP response codes, login events, and errors that users may encounter when attempting to access or use an application.

EAA administrators Create an application report or Create an SSH audit report in the EAA Management Portal. The application report includes the login event and error information provided in the tables below. To learn more, see Reports.

To learn more about troubleshooting in EAA, see Troubleshooting overview and tips.

An end user may encounter standard HTTP status responses when attempting to access or use an application. This table describes some of these responses.
HTTP response codes
HTTP response Description How to troubleshoot
400 Bad Request The application server is unable to process the request. For example, this error may occur if the end user provides an incorrect URL for the application. Create an application report and check the application server logs.
400 Bad Request - Request Header or Cookie Too Large HTTP Request Header or browser cookie exceeds the configured buffer value. This error can occur if the cookies are corrupted and need to be cleared from the end user’s browser. Clear the browser history, cache, and storied cookies, then try again. Contact support and have them review the backend NGINX configuration. The NGINX configuration can be modified to support large request headers and cookies.
401 Authorization Required The end user has not properly authenticated to the application. Make sure Single sign-on (SSO) authentication is configured for the application in the EAA Management Portal.
403 Forbidden The end user is not allowed to access the application. Make sure the user access information matches the configured access rule in the EAA Management Portal. To learn more see Troubleshoot application access denied.
404 Not Found The URL in the request cannot be found or does not exist. Check if request URL is available in origin server.
405 Action failed- HTTP method not allowed The action is not supported. If you are trying to update an SSL certificate and receive this message, you will need to upload a new certificate to EAA. Updating a pre-existing certificate is not currently supported. To learn more see Certificate-based authentication in the IdP.
413 Request Entity Too Large The request is too large and the application server cannot process it.
  • Contact support to increase the buffer for the application from the EAA Management Portal in Applications > [Your application name] > Settings > Advanced settings > Proxy Buffer Size. To learn more about this feature see Set up advanced settings for an application.
  • Contact support and ask them to check the error logs in the Data POP and connector.
414 Request-URI Too Large The Uniform Request Identifier (URI) in the request is too large. Create an application report and examine the logs.
492 User Access Forbidden The user is not authorized to access the application. Check the user group assignment for the application. See Troubleshoot application access denied.
493 Unsupported Browser The HTTP request does not contain Server Name Identification (SNI). The browser did not send the Server Name Indication (SNI) extension as part of the TLS negotiation. Check if the browser version supports SNI or try a different browser.
494 Request Header or Cookie Too Large HTTP Request Header is bigger than configured buffer value. The default is 4K.
500 Internal Server Error There was an unexpected issue with the server.
  1. Create an application report and examine the logs.
  2. Use X-Ray-ID to check if the error comes from an application or from EAA. If the request went to the application, the access log contains a field that tracks the origin server IP.
  3. Contact support to investigate further.
502 Bad Gateway Generic error.
  1. Contact support to examine the access and error logs for the Cloud proxy and connector. Have them look for any timeout errors.
  2. If the origin server takes more than the configured read-timeout to respond, contact support to increase the read-timeout for the application from the EAA Management Portal in Applications > [Your application name] > Settings > Advanced settings > Application Server Read Timeout. To learn more about this feature see Set up advanced settings for an application.
502 Bad Gateway If the hostname of the HTTPS application does not match the origin server certificate, you will get generic error. Check the hostname you provided for the HTTPS application matches the certificate from the EAA Management Portal in Applications > [Your application name] > Settings > General settings > Application Server IP/FQDN > . It should match the value in the certificate.
503 Service Temporarily Unavailable There was an unexpected issue with the server. Contact support and ask them to check the error logs for the Data POP and connector.
504 Gateway Timeout Timeout issue that occurs with the server.
  1. Contact support to examine the access and error logs for the Cloud proxy and connector. Have them look for any timeout errors.
  2. If the origin server takes more than the configured read-timeout to respond, contact support to increase the read-timeout for the application from the EAA Management Portal in Applications > [Your application name] > Settings > Advanced settings > Application Server Read Timeout. To learn more about this feature see Set up advanced settings for an application.
540 Connectivity Disrupted The connector does not have dial-out connections to either the data POP for the application or access to the directory.
  1. Check connector connectivity in the connector console.
  2. See Troubleshoot application deployment. If the error is observed at login, it is possible that the directory configuration is missing on the connector
542 Internal Database Error Data POP cannot reach the authentication database. Contact support for checking the authentication database.
543 IdP Communication Error Data POP cannot reach IdP or directory service. Contact support and have them:
  1. Check error logs in Data POP and connector.
  2. Check if there is a connectivity issue in the login or IdP POP.
  3. In the case of private POP deployments, behind DMZ confirm if the on-prem DNS servers can resolve the login service or IdP.
544 Management Communication Error Login/Authentication POP cannot reach mgmt login manager. Contact support and have them:
  1. Check error logs in Data POP and connector.
  2. Check if there is a connectivity issue between the login or IdP POP and mgmt login manager.
  3. Confirm the mgmt login manager service is running.
545 Authentication Internal Error Data POP cannot resolve/reach the authentication database. Contact support and have them check the error logs in the data POP and connector, and the authentication database.
546 Unknown Application Login/Authentication POP does not have the application configuration. Contact support and have them:
  1. Check the Login or IdP POP to see if the application is deployed in the POP.
548 Invalid Response Response received from the login server could not be validated via back-channel request from the Cloud proxy to the login server. Contact support and have them:
  1. Create a report of the error and access logs for the proxy and login servers.
  2. Search the logs for the X-Ray-ID, a unique identifier for every HTTP request that flows through EAA.
  3. Make sure that the response generated from the login server was not corrupted by a forward proxy between the client and the EAA cloud.
549 Authentication Gateway Error Login service cannot reach directories to complete the authentication process. Contact support. To learn more see Troubleshoot error code: 549 Authentication Gateway Error.
552 Application Unreachable Application service is not reachable from connector.
  1. Troubleshoot application connectivity
  2. Make sure the origin server IP/FQDN and port are correctly configured.
553 Directory Service Error Directory service errors commonly occur during Kerberos authentication steps such as fetch TGT, perform constrained delegation, and fetch service ticket. Additional information is typically displayed along with this error.
  1. Make sure that the service principal name (SPN) is configured correctly. This problem is mostly seen when deploying a new application that is not configured properly. For example, the application may be setup as NTLM internally but the EAA administrator configured the application as a Kerberos application with incorrect SPN. With Kerberos-constrained delegation, this can indicate problems with the keytab file or permissions to delegate to a service for the service account associated with keytab file.
  2. Create an Admin Event report and check the error logs and access logs associated with request that failed for more details on the nature of the error.
See Troubleshoot access to a Kerberized application.
554 Authentication Token Error Kerberos token is not accepted by application.
  1. Make sure that the service principal name (SPN) is configured correctly.
  2. Make sure that Kerberos is selected as the application-facing authentication method from the EAA Management Portal in Applications > [Your application name] > Settings > Advanced settings.
See Troubleshoot access to a Kerberized application.
555 Application does not support Kerberos No negotiate option found in 401 challenge. Check if Kerberos authentication is enabled in the application server. If not, either enable Kerberos on the application server or change application-facing authentication method from the EAA Management Portal in Applications > [Your application name] > Settings > Advanced settings to the supported application-facing authentication method. To learn more see Troubleshoot access to a Kerberized application. See Troubleshoot access to a Kerberized application.
556 Unexpected Authentication Challenge 401 challenge on URI not configured as login URI.
557 KDC Unreachable Connector cannot reach KDC for users domain. Make sure at least one KDC is reachable in the customer data center. See Troubleshoot access to a Kerberized application.
559 Connection Limit Stop: Service Concurrent Connections Exceeded A user has established more than 50 websocket connections. The number of websockets per users is limited to 50 to avoid attacks on the system. Contact support and ask them to perform back-end changes on the application.
561 Invalid NTLM Challenge Connector received invalid NTLM challenge from server See Troubleshoot receiving a password prompt for every application link.
562 Credential Error Unable to encrypt or decrypt NTLM credentials.
Login event information is included in the Application report. The following table describes some of the login events that may be included in the report. See Figure 1 to see how these fields appear in an application report.
Login Events
Login Event Description
LOGIN | S A log in was successful.
LOGIN | F | 2 A log in attempt failed because an invalid username was provided.
MFA | MC The user was prompted to enter their authentication code.
MFA | MF Multi-factor authentication failed or was unsuccessful.
MFA | MR The user registered for multi-factor authentication by configuring how they wanted to receive their authentication code.
MFA | MD Multi-factor authentication was done and completed successfully.
Example of a downloaded application report
This table describes some of the errors that an administrator may see logged in the Application report. See Figure 1 to see how these fields appear in an application report.
Errors
Error Description
invalid_user Error that occurs when an end user attempts to log in with incorrect user credentials.
unreachable This may be seen under Reports > Admin Events when using LDAPs. This is a false positive due to a bug in the Microsoft environment. This was resolved by adding multiple health check calls instead of just one to declare that the directory is down.