none
WAP - Connection String Expiry, Refresh & Blank Page RRS feed

  • Question

  • Hi,

    Were seeing ongoing issues with users where there sessions expire, they hit refresh in their browser (this happens on: Edge, IE, Safari, iOS, Chrome etc) and they only get back a blank screen or if diagnosed more closely a HTTP 403 Forbidden error.

    I've had an ongoing fight with MS Support over other issues with WAP that we didn't have with ISA and TMG where this was not a problem. Their response is use a Load Balancer & Firewall product in front for most of them but I fail to see how that can fix this.

    Surely if the token has expired it should revert to the login page? Am I missing something here?

    Modern browsers remember the complete URL that was last used so even if the user try's to type in the URL again, it extends the the old token and the user still gets a blank screen instead of a login page.

    Is there some setting to fix this?

    I'm seeing it on fully updated WS 2012 R2 & WS2016 TP5 on all browsers I have tested including MS ones.

    Surely this can't be sane?

    Any website that you access generally sends you to a login page if your session has expired.

    Any information or guidance would be appreciated.

    Jas :)


    • Edited by Beljason1 Sunday, June 5, 2016 6:43 AM
    Sunday, June 5, 2016 6:41 AM

All replies

  • It's hard to see what could be wrong just like this.

    Expiration has a lot to do with the application. When the you first got your token for your RP, you send it to your application. The application usually creates a bootstrap cookie that will enable your session to keep a security context (sort of). Once this cookie expired, the application has to redirect you to the IDP (ADFS in this case). What are you seeing? Do you have a blank page on the application? Or do you have a blank page on ADFS? If the blank page is on the application, it has a little to do with ADFS and more related to how the application is handling this situation. Maybe a Fiddler trace might clear that out?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 6, 2016 2:05 PM
    Owner
  • Hi,

    I see what you mean so I'll add some further detail as this isn't an Claims Based App. This is specific to Exchange & SharePoint publishing using Kerberos Authentication.

    As such, it's the Web Application Proxy Service that is being used as a Reverse Proxy which would be receiving the token and appears to be sending back the error.

    I had assumed it would show the login page for ADFS if the token being presented to Web Application Proxy has expired?

    Jas :)



    • Edited by Beljason1 Thursday, June 9, 2016 4:11 AM
    Wednesday, June 8, 2016 9:58 AM
  • This is very interesting and very frustrating since I can't repro.

    Do you have any update from the case?

    I'll try to set up an ADFS in my lab having an OWA. Please let us know if you have any update!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 13, 2016 1:04 PM
    Owner
  • Hi,

    There isn't case for this one as both cases I have opened previously for this product have never been fixed despite hundred of hours of troubleshooting.

    I've gone back and retested and it's definitely still an issue for my Kerberos based applications.

    Doesn't appear to publish O365 or other claims aware apps.

    Jas :)

    Tuesday, June 21, 2016 10:52 AM
  • I am facing the same problem with a customer's SharePoint 2013, ADFS, WAP deployment. When the sessions expire, the browsers or Office client applications (word, excel) would show a page which has HTTP 403 Forbidden error instead of redirecting to the ADFS login page.

    Checking the WAP server's event logs would reveal a warning message with the message "Web Application Proxy received a request that contained an expired edge token" followed by the received token's details with the requested URL and other details in the event log. The WAP troubleshooting guide says it could be a time issue and  to sync the clocks between ADFS and WAP but this only occurs for sessions which have expired.

    The requested URL would contain something like https://<sharepoint URL>/sitename/documents/forms/allitems.aspx?authToken=<tokenvalue>&client-request-id=<request guid>

    However, if the URL string behind the question mark (in italics) is removed, the user would be redirected to ADFS login page.

    Not sure if this is an issue with ADFS WAP or how I had done the setup as the same problem occurs in my virtual lab environment and client's production environment.

    Tuesday, September 20, 2016 9:08 AM
  • Same problem here. OWA does not seem to refresh the token properly causing OWA to stop refreshing. 

    Web Application Proxy received a request with an expired access cookie. The access cookie expired at: ‎2016‎-‎09‎-‎27T11:15:57.000000000Z.

    Tuesday, September 27, 2016 5:13 PM
  • Beljason1, do you have a ticket number I can reference? I need to to open a similar case with MSFT and since you say "both cases I have opened previously for this product have never been fixed despite hundred of hours of troubleshooting" I figure there are some good notes in there to speed up the process. 
    Wednesday, September 28, 2016 12:25 PM
  • Hi Jas, were you able to solve this issue? Any additional information would be appreciated.

    Thanks,
    Antonin

    Monday, May 15, 2017 7:06 AM