question

NguyenThanhTung-0456 avatar image
0 Votes"
NguyenThanhTung-0456 asked piaudonn commented

MailExchange ADFS Authentication Errors

I have issue with ADFS authentication on My exchange server. The problem encountered in the ADFS 3.0 of the window server 2012 and exchange server 2013 cu22. I followed the below instruction link to config AD FS claims-based authentication with Outlook Web App and EAC:
https://docs.microsoft.com/en-us/exchange/using-ad-fs-claims-based-authentication-with-outlook-web-app-and-eac-exchange-2013-help
In my web browser (Chrome, Firefox), I sign in OWA, response returns the http error 401. I try to sign in EAC by type my username (domain\user) and password, EAC show message "An error occurred. Contact your administrator for more information". I check event viewer of Exchange Server, there are no errors in event viewer. I check event viewer of ADFS server, the following error was reported:
ncountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
https://mailsrv.contoso.com/ecp/

Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

I already search in google about error MSIS7042 but nothing can solve my problem.
Any idea to help me?
Thank for your help.

adfsoffice-exchange-server-deployment
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NguyenThanhTung-0456,

According to your description, the issue is related to adfs, so I'll add the "adfs" tag for the case to be visible by more community members who are familar with ADFS.

Also during my research, found the thread below which disucsses the same error under the adfs tag, you may have a look and see if it could be of some help:
ADFS 3.0 error 364 (msis 7042) on ADFS + error 224 on ADFS PROXY maybe after windows update.

By the way, considering that it's a public forum, I'll remove the domain name in your original post for privacy-related concerns. Please remember to obfuscating any sensitive information involved in your future post to protect the personal information.

0 Votes 0 ·

Because web application proxy is optional, so in my dev enviroment I don't use web application proxy server. The thread "ADFS 3.0 error 364 (msis 7042) on ADFS + error 224 on ADFS PROXY maybe after windows update" is not same as my case.
Thank you for remove my domain name in my original post.

0 Votes 0 ·
image.png (155.4 KiB)
AndyDavid avatar image
0 Votes"
AndyDavid answered

My first thought is a browser add-in is causing this.
Can you try disabling the add-ins on the one you are using?
Also try in incognito mode.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NguyenThanhTung-0456 avatar image
0 Votes"
NguyenThanhTung-0456 answered

I think browser add-in is not reason because chrome/firefox have just installed. I also try in incognito mode before I create this issue.
I send SAML-Tracer image and SAML trace log.

100905-image.png



image.png (185.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NguyenThanhTung-0456 avatar image
0 Votes"
NguyenThanhTung-0456 answered piaudonn commented

can anyone help me? Thank you so much.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hard to say what's wrong looking at base64 screenshots :)

Common reasons for tha loop to take place can be:

  • Time mismatch between the ADFS servers and the Excahnge servers

  • Custom token lifetime value is too short (so changed from the default)

The token is not accepted by Exchange and Exchange redirects to ADFS again. Are they any logs on Exchange at the time this happens? Maybe there is something wrong in the URIs. Hard to say with screenshots.

ADFS is passive here. Just does what it's asked.



0 Votes 0 ·