locked
MSIS7042 error when redirected to ADFS login page from relative URL RRS feed

  • Pergunta

  • Suppose my website URL is https://sub.site.com/

    When I enter this in browser, it redirects to AD FS login page. After entering credentials, it redirects user back to website. And user is able to access the website correctly.

    But when I open the website using relative URL, say https://sub.site.com/Area/Docs/, it redirects to AD FS login page as well. When user enters credentials now, it stuck in loops and I receive following error message in Event Viewer-

    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    wsfed 
    
    Relying Party: 
    http://workflow/live 
    
    Exception details: 
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    

    How could this be resolved?

    sexta-feira, 3 de agosto de 2018 16:44

Todas as Respostas

  • Enable the logs of the app and try to understand why it rejects the token and redirect the user to the ADFS server.

    Sometimes the token validity is too short, sometimes there is a type on the relayingparty ID, sometimes it is a time difference, sometimes a wrong certificate, etc... the apps' log will tell us.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    sexta-feira, 3 de agosto de 2018 20:03
  • Enable the logs of the app and try to understand why it rejects the token and redirect the user to the ADFS server.

    Sometimes the token validity is too short, sometimes there is a type on the relayingparty ID, sometimes it is a time difference, sometimes a wrong certificate, etc... the apps' log will tell us.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    How do I enable the logs and check them?

    Please explain.

    Thanks

    sexta-feira, 3 de agosto de 2018 20:08
  • I activated AD FS Tracing logs. here are the main errors I'm getting-

    1. Error 1

    Detected an instance where RP is not configured properly, and requesting tokens repeatedly

    2.  Error 2

    Exception: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds. Contact your administrator for details.
    StackTrace:    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    3. Error 3

    Passive pipeline error

    4. Warning 1

    Ignoring Invalid entry 'signoutCleanup;http%3a%2f%2fidentifier%2fworkflow%2flive&OperatingProcedures&https%3a%2f%2fsub.site.com%2fAccount%2fExternalLoginCallback&https%3a%2f%2fsub.site.com%2f' in signout cookie.

    This warning message does not make sense to me because I'm opening fresh in-private / incognito browse window and trying to "Login" user. Why it is giving signout cookie error at all?

    Thanks,

    Kamalpreet Singh




    terça-feira, 7 de agosto de 2018 16:07
  • But did the app log show?

    Because the app is obviously not accepting the token and redirecting the user back to ADFS. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    quinta-feira, 23 de agosto de 2018 13:08
  • Hi When you login to https://sub.site.com and navigate /Area/Docs do you experience the same issue or it only happens if you navigate directly to https://sub.site.com/Area/Docs/

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    quinta-feira, 23 de agosto de 2018 23:44
  • Sorry

    Did you finally solve this problem? i'm in identical situation now...

    Thanks

    M

    terça-feira, 24 de março de 2020 10:27