Intermittent HTTP 401's from /authorize endpoint

[tjan...@gmail.com]

Hello Community!

We are seeing some strange behavior when calling the authorize-endpoint. It seems like CAS intermittently returns HTTP 401 even if the client id and redirect URL are correct. This is occurring randomly and lasts for 15-60 minutes around every couple of days or one week lately. These errors are visible in the Tomcat access logs, but I haven't been able to find any matching application logs. This is only happening in production with quite heavy traffic and I haven't been able to reproduce it locally or in test environments.

This started happening after migrating from CAS 6.0.x to 6.6.14. 

Would someone have ideas what could be the cause or how to go about troubleshooting it? Enabling DEBUG mode in production is not a first option due to the load and amount of logs that would get produced, especially as we can not know when the next occurrence might happen.

We have a HA setup, but it seems like all of the failures are on a single node only and also the access logs show that the previous requests have been going to the same node due to session stickiness.

Also worth mentioning maybe is that at the time of failure, the users have an active SSO session.

Thanks in advance for any possible hints!