562 Credential Error
The HTTP 562 status code is an unofficial server error used by Akamai Enterprise Application Access (EAA) (562 Credential Error) and the AWS Application Load Balancer (562 JWKS Request Failed). Akamai returns this code for NTLM credential encryption failures, while AWS returns this code when the ALB cannot validate JSON Web Tokens against the JWKS endpoint.
Usage specific to Akamai EAA
Akamai EAA supports NTLM single sign-on by encrypting and storing user credentials on the connector, then replaying them during NTLM Authentication challenges from the backend. The 562 error appears when the connector is unable to encrypt or decrypt these NTLM credentials, breaking the SSO flow.
The most common trigger is an NTLM key rotation during a connector upgrade. When the connector's encryption keys change, credentials cached from prior sessions become unreadable. Active NTLM sessions fail until users log out and re-authenticate through the identity provider (IdP).
Other causes include:
- Corrupted credential storage on the connector.
- Mismatched encryption keys across connector instances in a high-availability deployment.
- An interrupted connector upgrade leaving encryption keys in an inconsistent state.
Usage specific to AWS ALB
The AWS Application Load Balancer returns 562 JWKS Request Failed when a listener rule is configured to authenticate users with JSON Web Tokens (JWT) and the ALB cannot obtain a valid response from the JWKS (JSON Web Key Set) endpoint. The JWKS endpoint provides the public keys used to verify JWT signatures.
The ALB expects the JWKS endpoint to return an HTTP status code in the 200–299 range. A 562 is returned when any of these conditions apply:
- The JWKS endpoint returns a non-2xx status code.
- The JWKS endpoint does not respond within 5 seconds.
- The JWKS response exceeds 150 KB.
- The JWKS response contains more than 10 keys.
The failure occurs at the load balancer level before the request reaches the backend target.
SEO impact
Search engines treat 562 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.
Example
Akamai EAA credential error
A client accesses an NTLM-authenticated application through Akamai EAA. The connector attempts to decrypt the cached NTLM credentials but fails due to rotated encryption keys. The client receives a 562.
Request
GET /sharepoint/sites/team HTTP/1.1
Host: app.example.re
Accept: text/html
Cookie: akamai-eaa-session=xyz789abc012
Response
HTTP/1.1 562 Credential Error
Date: Mon, 02 Mar 2026 14:45:00 GMT
Content-Type: text/html
<html>
<head><title>562 Error</title></head>
<body>
<h1>Credential Error</h1>
<p>Unable to encrypt or decrypt NTLM
credentials</p>
</body>
</html>
AWS ALB JWKS failure
A client sends a request to an application behind an AWS Application Load Balancer configured with JWT Authentication. The ALB attempts to fetch the JWKS endpoint to verify the token but the endpoint returns an error.
Request
GET /api/protected HTTP/1.1
Host: app.example.re
Accept: application/json
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
Response
HTTP/1.1 562 JWKS Request Failed
Date: Mon, 02 Mar 2026 14:50:00 GMT
Content-Type: text/html
Server: awselb/2.0
<html>
<head><title>562 JWKS Request Failed</title></head>
<body>
<h1>562 JWKS Request Failed</h1>
<p>Failed to get a successful response from the
JWKS endpoint</p>
</body>
</html>
How to fix
Akamai EAA: Log out of the identity provider and log back in. A fresh IdP login generates new NTLM credentials encrypted with the current connector keys, replacing the stale cached credentials. This is the standard resolution after a connector upgrade rotates encryption keys.
Clear browser cookies and cached sessions. Stale session cookies referencing old credential entries perpetuate the error even after the IdP session refreshes.
Verify all connectors in a high-availability group are running the same version. Mismatched versions across connector instances produce different encryption keys, causing intermittent 562 errors depending on which connector handles the request.
Check the connector upgrade status in Akamai Control Center. An interrupted or partial upgrade leaves encryption keys in a transitional state. Complete the upgrade or roll back to a consistent version.
If the error persists after re-authentication and connector verification, contact Akamai support. Persistent credential encryption failures indicate a deeper issue with the connector's key storage requiring support intervention.
AWS ALB: Verify the JWKS endpoint is publicly resolvable and accessible from the ALB's subnets. The ALB fetches keys over the public internet, so the endpoint must not be behind a firewall or private network.
Confirm the JWKS endpoint responds within 5 seconds. Slow identity providers or DNS resolution delays cause the ALB to time out and return 562.
Check the JWKS response size stays under 150 KB and contains no more than 10 keys. Rotate out expired keys from the JWKS document to keep the response within limits.
Review the ALB access logs (field actions_executed)
and the error_reason field for the specific failure
stage. Enable detailed logging in CloudWatch to
capture the JWKS endpoint's response code.
Takeaway
The 562 status code is an unofficial error with platform-specific meanings. Akamai EAA returns 562 Credential Error for NTLM credential encryption failures. AWS Application Load Balancer returns 562 JWKS Request Failed when the JWKS endpoint used for JWT validation returns a non-2xx response, times out, or exceeds size limits.
See also
- Akamai EAA Application Response Codes
- Google: HTTP status codes and network errors
- AWS ALB Troubleshooting
- Troubleshoot IWA in EAA
- 561
- Authentication
- HTTP status codes