Why does my login to Distribution fail with a message “The server encountered an internal error or misconfiguration and was unable to complete your request.” in the browser after entering credentials during the SSO redirect ?

Nihal Reddy Chinna Choudhary
2019-01-17 22:31

Summary

When you access the Distribution URL you are redirected to the Artifactory login page. Here after a successful login the SSO redirect should take you back to the Distribution home page. However we see the following error in the browser {"errors":[{"field":"generic","code":"something.went.wrong","arguments":{},"defaultMessage":"The server encountered an internal error or misconfiguration and was unable to complete your request."}]}
 

Affected Versions

Artifactory 6.x
 

Details

When this issue occurs you will notice the below error in the distribution.log under $DISTRIBUTION_HOME/logs/. After the login failure in the distribution.log there will be a error message for token exchange:

2018-11-28 19:35:43,860 [http-nio-8080-exec-7] [ERROR] (o.j.b.d.r.e.m.DefaultExceptionMapper:37) Default exception mapper caught: {}

org.jfrog.access.client.AccessClientException: Error exchanging token, status 308

       at org.jfrog.bintray.distribution.service.access.AccessServiceImpl.exchangeToken(AccessServiceImpl.java:243)

       at org.jfrog.bintray.distribution.resource.ui.auth.AuthenticationUiResource.postLogin(AuthenticationUiResource.java:101)

       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

       at java.lang.reflect.Method.invoke(Method.java:497)

       at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) 

2018-11-28 19:36:29,445 [http-nio-8080-exec-3] [WARN ] (o.j.b.d.r.e.m.RequestExceptionMapper:33) Request exception mapper caught: This action requires admin authorization. Endpoint: GET /v1/system/security/access
 

Resolution

This issue occurs due to the absence of  either the "Custom URL Base" or the header "X-Artifactory-Override-Base-Url" in the reverse proxy server or a load balancer that is in front of Artifactory. Generally when Distribution or any client communicates with Artifactory server, then Artifactory returns some HTTP Response headers with a value along with the response and this includes the Base URL of Artifactory. The HTTP Response headers including the Artifactory Base URL could get overriden by the reverse proxy server or a Load balancer that is in front of Artifactory.

When this happens the client in this case Distribution is expecting the Artifactory base URL during the communication with Artifactory. But if the reverse proxy or Load balancer overrides the response from Artifactory that includes the Artifactory Base URL, then it will result in a failure as Distribution service did not get the expected Base URL.

In order to resolve this issue, please set "Custom URL Base" or a header "X-Artifactory-Override-Base-Url" with the value as the Artifactory URL in the reverse proxy server configuration in front of Artifactory. Please note that the protocol to be used for the Artifactory URL should be http if SSL is not setup and https if SSL is enabled. In the below example we are assuming that SSL has been enabled at the reverse proxy server and Artifactory is being accessed with HTTPS.

When updating your reverse proxy configuration please remember to change the variable ${Artifactory_domain} in the below example to your Artifactory FQDN.

 

For Nginx:

proxy_set_header  X-Artifactory-Override-Base-Url  https://${Artifactory_domain}/artifactory;

 

For Apache:

RequestHeader set X-Artifactory-Override-Base-Url https://${Artifactory_domain}/artifactory

For Load Balancer:
If you are using only a Load balancer in front of Artifactory, then please set "Custom URL Base" or "X-Artifactory-Override-Base-Url" header in your Load balancer configuration with the value set to Artifactory URL as in the above example.