Periodically, when end user logs in, there is a basic authentication dialog popped out. Upon user clicks cancel, it will lead to the login page. If the user enters the credential, the dialog will close and user can continue his tasks.
After testing, we believe that the basic authentication dialog that we faces is caused by the missing of Ltpatoken2 in the cookie.
At this point of time, we are unsure of what caused the Ltpatoken2 to be removed in the cookie. We suspect that it could be the load balancer(ie F5), IIS or the BPM.
This issue is not repeatable at will. However, when we run load testing on external application, which use rest API start some process in BPM by a special user (note: no other interaction between external application and BPM), it will be easier to see the issue of Basic Authentication dialog in BPMs.
We have managed to capture the network traffic on 2 instances.
– The 1st occurrence:
The http request of “https://:/teamworks/script/coachNG/dojo/1.10.4/dojo/cldr/nls/en/number.js?build=201603010311″(Line: 34494) should be the trigger of the Basic Authentication dialog, which got a 302 response instead of 200.
The key is, the LtpaToken2 cookie in this http request is missing, but the previous http request still contains LtpaToken2 and JSESSIONID in the cookie.
We believe that the LtpaToken in the server side should not be expired. We have set the LTPA timeout as 720 minutes, so the 1st log should lead to the creation of the LTPA token entry in the server side, which would not be expired in 12 hours.
We also believe that the session should not be expired, because we keep working on the process portal after log in.
– The 2nd occurrence:
The http request of “https://:/teamworks/script/coachNG/dojo/1.10.4/dojo/cldr/nls/en/number.js?build=201603010311″(Line: 34347) should be trigger of the Basic Authentication dialog, which got a 302 response instead of 200.
The interesting thing is, it’s the same http request.
Another interesting thing is, both LtpaToken2 and JSESSIONID are missing in the cookie of the http request. Then we checked the previous http requests, and they contains LtpaToken2 cookie but no JSESSIONID cookie.
We believe that both LtpaToken and session in the server side should not be expired.
So our question is how LtpaToken2 and JSESSIONID were removed from the cookie, given that we believe both LtpaToken and session in the server side should not be expired.