Thursday, November 17, 2011

MSIS7042: The same client browser session has made 'X' requests in the last 'Y' seconds.

This exception has been written to the ADFS event log after unsusccessful sign-in of one of our Relying Party applications. From the user perspective, the control flow seems correct, the application redirects to the ADFS login page but then rather than signing in, it forces the browser to go to ADFS again and again. After few frantic redirects within the browser, ADFS shows the exception message.

It turned out that there is a simple cause of such unindented behaviour – the FederatedPassiveSignIn control on the RP’s login page has the AutoSignIn property set to true.

When the browser hits the page, it unconditionally redirects to ADFS and then, upon returning when something is wrong, it redirects to ADFS again. Problem is that the ADFS shows the login page only once and then it automatically redirects back to the application because user is already authenticated. This causes the “redirection loop” within the browser as the application and ADFS start to unconditionally redirect between each other.

If this is the case in your scenario (AutoSignIn==”true”), then there’s a simple workaround. All you have to do is to provide a SignInError handler for the control where you had to turn off the auto signing:

FederatedPassiveSignIn1.SignInError +=
    ( s, e ) =>
    {
        // turn off auto signing to prevent the "redirection loop"
        FederatedPassiveSignIn1.AutoSignIn = false;
        // optionally show the error message 
        lblError.Text = e.Exception.Message;
    };

In our case it turned out that the reason for the error in the authentication pipeline was caused by wrong STS certificate thumbprint at the RP-side which caused WIF to throw a security exception from the IssuerNameRegistry.

No comments: