We currently have a three-node farm set up and have tested authentication and sending/receiving messages to each node individually, with which we've had no issues. However, we use NetScaler as a network load balancer, and once we configured NetScaler in front of the three nodes we've encountered issues with RESTful authentication using OAuth.
The issue appears to be that when specifying a single scope (ex. for "server1/namespace"), if NetScaler routes the request to server1 it will provide a token back but if routed to server2 or server3 they fail with the following warning event logged:
Security token service finished processing a request with failure. TrackingId: (guid + server receiving request), Absolute Uri: https://(load balancer uri):9355/namespace/$STS/OAuth/, Message: System.UnauthorizedAccessException: Invalid user.at Microsoft.Cloud.ServiceBus.Security.OAuthAuthenticationRequest.Parse(Message message, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.ParseAuthenticationRequest(Message requestMessage, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.<GetAsyncSteps>d__2c.MoveNext()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state)
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.Start()
After reading the OAuth specifications, I tried changing the scope to be a space-delimited list of all three nodes (ex: "server1/namespace server2/namespace server3/namespace"), but this failed with a similar event being logged, though this one specifying that the namespace could not be resolved for the scope provided.
When the server receiving the request matches the server in the scope and a token is provided, sending/receiving appears to function as normal across all three nodes. Is there a different way to specify multiple servers in the scope or otherwise solve/mitigate this issue? I've read a couple threads regarding the support and use of NLB for load-balancing -- I think our infrastructure/network teams would prefer using NetScaler if possible, though any suggestions are welcome. Thanks!