The remote server returned an error: (401) Unauthorized in debug console

  • 20 August 2021
  • 7 replies
  • 1124 views

Userlevel 5
Badge +12

Hello Community,

We have a customer who’s PROD environment is having ADFS enabled and when logged in to EE by using IFSAPP account below error is there all over the debug console.

There are no other issues with user authentication with ADFS but it’s normally taking about 1-2 minutes to get in. 

 

 

I enabled TRACE:32 level for the Httpserver and the log entries are pretty strange to me. Appreciate if anyone can share some info about this error. TIA!

 

Header from WLS:[WWW-Authenticate]=[Bearer realm="7001219a-298b-4bb1-897c-c502d9702cbe@https://adfs.customer.domain/adfs", scope="openid", authorization_uri="https://adfs.customer.domain/adfs", error="invalid_token", error_description="a7accc64-d08b-43d5-9f6b-616755899751: Token timestamp does not fall within the acceptable range."]

Header from WLS:[X-ORACLE-DMS-RID]=[0:1]

Header from WLS:[X-ORACLE-DMS-ECID]=[00jA89PdAFpFw0zmjR053z6HaWi1zZ2wI0002K8000073]

Header from WLS:[X-IFS-OAuth2-Resource]=[api://IFS10PROD]

Header from WLS:[X-IFS-OAuth2-IDP]=[ADFS]

parsed all headers OK

Exiting method BaseProxy::sendRequest 

sendResponse() : r->status = '401'

Hdrs to client (add):[Cache-Control]=[no-cache, no-store, must-revalidate]

Hdrs to client (add):[Date]=[Thu, 19 Aug 2021 16:30:20 GMT]

Hdrs to client (add):[Pragma]=[No-cache]

Hdrs to client (add):[Expires]=[Thu, 01 Jan 1970 00:00:00 GMT]

Hdrs to client (add):[WWW-Authenticate]=[Bearer realm="7001219a-298b-4bb1-897c-c502d9702cbe@https://adfs.customer.domain/adfs", scope="openid", authorization_uri="https://adfs.customer.domain/adfs", error="invalid_token", error_description="a7accc64-d08b-43d5-9f6b-616755899751: Token timestamp does not fall within the acceptable range."]

Hdrs to client (add):[X-ORACLE-DMS-RID]=[0:1]

Hdrs to client (add):[X-ORACLE-DMS-ECID]=[00jA89PdAFpFw0zmjR053z6HaWi1zZ2wI0002K8000073]

Hdrs to client (add):[X-IFS-OAuth2-Resource]=[api://IFS10PROD]

Hdrs to client (add):[X-IFS-OAuth2-IDP]=[ADFS]

AH01502: headers: ap_headers_output_filter()

Response sent with status 401, headers:

Date: Thu, 19 Aug 2021 16:30:20 GMT

Strict-Transport-Security: max-age=63072000; includeSubDomains

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Referrer-Policy: same-origin

Cache-Control: no-cache, no-store, must-revalidate

Pragma: No-cache

Content-Length: 1468

Expires: Thu, 01 Jan 1970 00:00:00 GMT

WWW-Authenticate: Bearer realm=\\"7001219a-298b-4bb1-897c-c502d9702cbe@https://adfs.customer.domain/adfs\\", scope=\\"openid\\", authorization_uri=\\"https://adfs.customer.domain/adfs\\", error=\\"invalid_token\\", error_description=\\"a7accc64-d08b-43d5-9f6b-616755899751: Token timestamp does not fall within the acceptable range.\\"

X-ORACLE-DMS-RID: 0:1

X-ORACLE-DMS-ECID: 00jA89PdAFpFw0zmjR053z6HaWi1zZ2wI0002K8000073

X-IFS-OAuth2-Resource: api://IFS10PROD

X-IFS-OAuth2-IDP: ADFS

Vary: Accept-Encoding

X-XSS-Protection: 1; mode=block

Content-Type: text/html; charset=UTF-8

coalesce: have 0 bytes, adding 908 more

coalesce: passing on 908 bytes

ssl_io_filter_handshake(), accepted 1, proxy 0

ssl_filter_write(), len 908

nzos_filter_out_write(), length 937, client reneg 0

core_output_filter: flushing because of FLUSH bucket

nzos_filter_out_write(): bio_filter_out_pass -> 1

OHS:2069 Server: written in this round=908. Remaining Bytes to write=0 total=908

ssl_filter_write(), len 1468

nzos_filter_out_write(), length 1497, client reneg 0

core_output_filter: flushing because of FLUSH bucket

nzos_filter_out_write(): bio_filter_out_pass -> 1

OHS:2069 Server: written in this round=1468. Remaining Bytes to write=0 total=1468

core_output_filter: flushing because of FLUSH bucket

nzos_filter_in_read() -> SSLIOErr (time out)

(OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  : OHS:2067 SSL IO error, nzos_Read returned 28857

OHS:2171 NZ Library Error: Unknown error

ssl_io_filter_handshake(), accepted 1, proxy 0

core_output_filter: flushing because of FLUSH bucket

nzos_filter_out_write(), length 31, client reneg 0

core_output_filter: flushing because of FLUSH bucket

nzos_filter_out_write(): bio_filter_out_pass -> 1

AH02001: Connection closed to child 582 with standard shutdown (server mwsserver:48080)


7 replies

Userlevel 7
Badge +20

Hi,

Do you have a user set up for IFSAPP in your AD? I hope it is not the case and in that scenario, for IFSAPP, IFS application will use fallback authentication mechanism and switch to DB authentication. The above logs are probably the retry attempts from the client before switching to DB auth. 

 

Thanks,

Kasun

 

 

Userlevel 5
Badge +12

Hi,

Do you have a user set up for IFSAPP in your AD? I hope it is not the case and in that scenario, for IFSAPP, IFS application will use fallback authentication mechanism and switch to DB authentication. The above logs are probably the retry attempts from the client before switching to DB auth. 

 

Thanks,

Kasun

 

 

Hi Kasun,

Thanks for the reply.

Is it necessary to have an AD account for IFSAPP for ADFS authentication to work?

Userlevel 7
Badge +20

Hi Ruchira,

IFSAPP is a special user which is not used as an end user in IFS application. Therefore you don’t need to have a AD account to connect to IFS Application as IFSAPP which is why fall back authentication has been implemented. 

 

Thanks,

Kasun

Userlevel 5
Badge +12

Hi @Kasun Balasooriya ,

yes that’s correct but if there are users with DB authentication enabled  (Users not synched from the AD) the error is there for them as well

Userlevel 3
Badge +6

Hi, 

 

Is this issue resolved? , we are also facing the same issue. 

 

Thanks 

L P Reddy

Userlevel 1
Badge +4

The error message bit concerning to me is “Token timestamp does not fall within the acceptable range."]”

 

Usually this means, your ADFS and App server has two different system clocks. Try to get these system clocks synched first. I believe that should be first step. 

Userlevel 3
Badge +5

Hi All 

 

This is just for any one looking solution for the error “Token timestamp does not fall within the acceptable range” could occur when you trying to login with SSO ( ADFS) . it is not an issue with IFS but rather NTP server which is use for clock synchronization, 

Reply