ADFS 2.0 Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042

0
votes

I have a custom MVC site that uses ADFS authentication for users to access the site.

This was working, I have since made no changes, with the only change occurring on the ADFS side with the TOKEN certificates rolling over. Unfortunately I cannot seem to find anything that indicates that this is related to my now very frustrating error.

Simply put no user can log in, thank goodness this is still under development so at least I do not have screaming users on my hands. I have a Dynamics CRM 2011 environment IFD and Claims-Based auth using this same ADFS server. I have also removed and recreated the Relying-Party Trusts, but still with no luck.

All I get is the following error on the page with the accompanying Event Log entry:

Site:

There was a problem accessing the site. Try to browse to the site again.

Event Log:

Encountered error during federation passive request.

Additional Data

Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '6' seconds. Contact your administrator for details. at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.UpdateLoopDetectionCookie() at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSignInResponse(MSISSignInResponse response)

I have searched high and low, I have tried every suggestion I can find, including this post: ADFS v2.0 Error : MSIS7042: The same client browser session has made '6' requests in the last '1' seconds

I have configured my relying party trusts as per the following URL: http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013

I forgot to turn off custom errors, so now I get the following:

WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'http://XXX.XXX.XXX/adfs/services/trust'.

As such I have corrected the Certificate Thumbprint, but unfortunately that doesn't seems to help the situation.

Still searching and trying solutions for this issue and will update if anything changes.

Any assistance in this regard would be greatly appreciated.

Thanks

3
c#asp.net-mvcauthenticationadfs

3 Answers

4
votes

Fixed it !! :):)

It seems there was an issue with the "issuerNameRegistry" entry in my Web.Config.

What does confuse me as to why it was working before, but never the less, here is what fixed the issue:

I had the following in my web.config, which did work previously:

  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://adfs.domain.tld/adfs/services/trust">
      <keys>
        <add thumbprint="thumbprint"/>
      </keys>
      <validIssuers>
        <add name="http://adfs.domain.tld/adfs/services/trust"/>
      </validIssuers>
    </authority>
  </issuerNameRegistry>

Thanks to this answer https://stackoverflow.com/a/21289207/2985339 on this post Windows Azure intermittent Identity error when parsing webconfig

This is what the web.config now has:

  <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    <trustedIssuers>
      <add thumbprint="thumbprint" name="http://adfs.domain.tld/adfs/services/trust" />
    </trustedIssuers>
  </issuerNameRegistry>

Beats me as to why it stopped working, but if anyone else has this issue, hopefully this will help. :)

1
votes

For the 7402 error, ensure that the identifier in your web.config and the endpoint in the RP both have a trailing slash and that they both match.

For the non-valid key, use the MMC plugin on the server side to get the thumbprint and then post this into something like Notepad++ and inspect it - ensure no dodgy characters etc., then remove spaces and then paste it into the web.config.

I've seen this a number of times.

0
votes

Sorry to necro up an old thread but to those that up-voted the correct answer - did you add any new references to your project? Import anything etc?

Obviously ValidatingIssuerNameRegistry is not ConfigurationBasedIssuerNameRegistry so was wondering what steps were taken to add/remove any assemblies / versions etc.