Troubleshoot error code: 549 Authentication Gateway Error
Share this procedure with support when you receive this error.
If you receive the error code 549 Authentication Gateway Error, then login service cannot reach a directory to complete the authentication process. To troubleshoot, contact support and share this procedure with them.
The path from the login server to directory begins from the directory end-point in the EAA Cloud, transports over directory dial-outs into the connector, and then uses a broker service on the connector using either LDAP or Kerberos protocols to complete the authentication with the enterprise directory.
If the user is a cloud user, then the login server contacts the Management POP (Mgmt POP) to validate the user credentials. Remember, the Cloud proxy is made up of the Data POP and Management POP.
Authentication gateway errors are observed when there is a problem with reaching directory endpoint from login service, reaching management pop from login service or reaching the broker service within the connector.
When third party identity providers are used, Authentication gateway errors also indicate problems with preparing protocol request for the third party or parsing protocol responses from the third party within the microservice instances on the login server specifically tasked for handling third party authentication.
Depending on the type of user experiencing this issue, the debugging strategy changes. All debugging however requires support.
For cloud users experiencing this error, check if there is an issue reaching the login API service from the login service in the Data POP.
- Check the error logs in the login service to get the problem point. You can use the X-Ray-ID in the error message to search error logs and access logs specific to the request that failed.
- Check connectivity issues between login server and users directory endpoint in the cloud. These can arise of there are DNS configuration errors.
Is the problem intermittent or consistent? Intermittent problems may indicate
problems with specific instance of directory end-points or the connector. For
example, a directory’s configuration or binary version difference or a connector
without connectors providing access to the directory, with one connector having
a bad configuration or incompatible connector version.
- Check the agent logs to see if the agent with directory configuration is receiving the authentication request. You can search by X-Ray-ID again to see if API calls from the cloud are coming to the connector.
- For LDAP based authentication, check agent client logs.
- For Kerberos authentication, check KBSD supervisor logs.
- Check if supervisor on the agent indicates that LDAP broker or Kerberos Broker have restarted after crashes.