After the configuration of ADFS v2 to SharePoint 2010 and
when I tried to login, I found at myself that after I authenticate to ADFS, get caught up in this endless loop where go back and forth between SharePoint and ADFS.
In Fiddler it turns out that I are authenticating successfully to ADFS, I am coming back to SharePoint and it is successfully issuing the FedAuth cookie,
it redirects you to /_layouts/authenticate.aspx on the SharePoint site which clears out the FedAuth cookie and redirects me back to the ADFS site.
I basically ping pong back and forth until ADFS stops it .
In Event Viewer of ADFS Server :
I saw the exception:
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '11' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.UpdateLoopDetectionCookie()
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSignInResponse(MSISSignInResponse response)
That’s because the default LogonTokenCacheExpirationWindow for the SharePoint STS is 10 minutes. In this case when I created my relying party by default it sets the token lifetime in ADFS to be 2 minutes, so as soon as it authenticated it knew the cookie was good for less time than the LogonTokenCacheExpirationWindow value. Therefore it went back to ADFS to authenticate again. And so it went, back and forth. So I needed to change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime.
The solution is PowerShell Script:
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
iisreset
This has been a sporadic error with our users for months.
ReplyDeleteGreat explanation too.
Many thanks...
Dave
Did it help to resolve the issue
ReplyDeleteI am facing the same issue... Where my Sharepoint team wants the user to get redirect to a Particluar URL once the go to the URL configured in ADFS 3.0 RPT. The direct is also set at the network level as well. is it something that needs to be done at ADFS level.
ReplyDelete$sts = Get-SPSecurityTokenServiceConfig
ReplyDelete$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
iisreset
server 2016 PowerShell Can not run
Please help me!