question

MattiaMinervini-1617 avatar image
0 Votes"
MattiaMinervini-1617 asked ·

ADFS 3.0 error 364 (msis 7042) on ADFS + error 224 on ADFS PROXY maybe after windows update

Hi all! Dynamics on premise, exposed with ADFS 3.0 and ADFS PROXY So i have this scenario:

1 vm x sql (lan) 1 vm x dynamics (lan) 2 vm x dns and dc (lan) 1 vm x adfs (lan) 1 vm x adfs proxy (Dmz)

After windows update for windows 2012 r2 on ADFS and ADFS PROXY vm, it stops to authenticate from external When i try opening https url, it loops until error On lan, it works

on browser client this error:

 Activity ID: 00000000-0000-0000-5000-0080000000d0
 Relying party: CRM CLAIMS RELYING PARTY
 Error time: Tue, 24 Mar 2020 07:53:03 GMT
 Cookie: enabled
 User agent string: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

on ADFS server i can try this log: error id 364 Encountered error during federation passive request.

Additional Data

Protocol Name: wsfed

Relying Party: https://mydynamics.mydomain.com/

Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

on ADFS SERVER, enabling AD FS tracing, this 3 error:

  1. Error 1

Detected an instance where RP is not configured properly, and requesting tokens repeatedly

  1. Error 2

Exception: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds. Contact your administrator for details. StackTrace: at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  1. Error 3

Passive pipeline error

on ADFS proxy error id 224

user: NETWORK SERVICE Event id 224

The federation server proxy configuration could not be loaded correctly from the configuration file ''. Additional Data Error:

User Action: A configuration element specified in the data above is misconfigured. Correct the specified error in the AD FS configuration database. ################################

This happens with different client, with different browser (no trust site oro protection mode IE works) Just rebooted , vm CRM DYNAMICS, vm ADFS and vm ADFS PROXY no success Thanks ask me for details M

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MattiaMinervini-1617 avatar image
1 Vote"
MattiaMinervini-1617 answered ·

SOLVED IN THIS WAY!!!

Log in as an Administrator on the Windows Server that hosts the WAP (ADFS Proxy) role.

Obtain the IDs of the WAP applications for CRM. In a Windows PowerShell window, type the following command:

PS C:\Users\Admin> Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL

ID Name ExternalURL


g58fb28a-c2c7-242d-c8ec-841787820ctt CRM https://CRMExternal URL/ g85d61e1-1n3e-6003-5f42-6ffc517046g0 Dev https://devcrm.yourDomain.com/ 923a8081-4f28-b8d2-ede0-982236e525n3 AUTH authcrm.yourdomain.com

Then

Execute following command using PowerShell, using the IDs obtained in the previous command, to disable URL Translation in Response Headers

Set-WebApplicationProxyApplication -ID <WebApplicationServerDomainID> -DisableTranslateUrlInResponseHeaders Set-WebApplicationProxyApplication -ID <DiscoveryWebServiceDomainID> -DisableTranslateUrlInResponseHeaders Set-WebApplicationProxyApplication -ID <ExternalDomainURLID> -DisableTranslateUrlInResponseHeaders Set-WebApplicationProxyApplication -ID <OrganisationURLID> -DisableTranslateUrlInResponseHeaders

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.