LEGACY CONTENT
This article refers to legacy products, components or features. Therefore, the content in this article is offered "as is" and will no longer be updated. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.

Introduction

K2 blackpearl requires that the NLB persistence type is set to IP Affinity. Seemingly random 401 authentication issues occur when using Cookie Affinity or any other non IP Affinity setting.

Different NLB persistence Types

More and more network load balancers are supporting a concept of Cookie Affinity. In some circles this is considered a valid “sticky session” configuration because it ensures that all requests from the same cookie based session will be routed to the same server. This works well when all activity in the browser stays in one session. However, there are many situations in SharePoint and K2 where a new session, including a new cookie, might be spawned. When this occurs, the client machine is no longer guaranteed to go to the same back end server in the farm. If this happens, the tickets are not passed between the servers and the result is a 401 Unauthorized Error in the browser.

For example, when you render a SharePoint form library, you are in one session, when you click “New” for your web-based form, you are in a different session. If the system uses Cookie Affinity, there is a good chance those sessions could end up on different machines and this will lead to 401 authentication issues when you try to save/submit the form.

Error Message

The following error message relates to this KB Article:
  • 401 authentication error

Error Resolution

K2 requires your NLB persistence type to be IP Affinity. Different load balancing technologies call this different things, so be sure to research the specific hardware in order to perform the correct configuration.

In Windows NLB software configuration, IP Affinity is obtained by setting the Filtering mode for Multiple host to either Single (routes all requests from a single IP to the same load balanced server) or Class C (routes all requests from IPs of the same Class C IP address range to the same load balanced server) as shown below.

[Figure 1. Configuring IP Affinity]

In F5 (BIG-IP) hardware configuration IP Affinity is obtained by setting the Persistence Type to Source Address Affinity.

Troubleshooting

We used the IIS logs to track down this issue. We could prove very quickly that when we had a 401 error, the initial browser session was hitting Node1 and the rendered InfoPath form with the error was hitting Node2. When there were no errors, we would find all the page renders on the same node. This technique is very good to use when trying to debug NLB issues, especially when you can’t get to the configuration settings yourself.