question

BenjaminFreitag-8735 avatar image
0 Votes"
BenjaminFreitag-8735 asked RAVINDRANMANI-2584 commented

After updating SharePoint On-Premisue with ADFS some users can't work because of old Auth-Cookie (MSIS7042)

We already made a few updates from SharePoint 2013 to 2016 or 2019 successfully. When using ADFS-Authentication and preserving the same SiteCollection-URL on the new SharePoint Server, some users may still have an Authentication-Cookie for the URL but they can't work anymore with the new SharePoint until they logout from ADFS and login again (either via Logout-Link https://adfsurl/adfs/ls/?wa=wsignout1.0 or by deleting all Browser-Cookies). The detailed error in ADFS is: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds.

We never expecience such issues in production since years, but just when updating/moving the SiteCollection to a new SharePoint server. So I think this is not a general configuration-issue but has to do with the actual SharePoint-Server-Upgrade and outdated/obsolete user-cookies.

What can we do to prevent this issue when performing a SharePoint-Update?

adfsoffice-sharepoint-server-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm checking how the things are going on about this issue. Whether the post helps you?

You can accept the post as answer if it helps.

0 Votes 0 ·

Please check the user bookmarks. When user bookmarked urls Delete cookie option is not clearing cookies. So, we need to Uncheck first one and then check all remaining items to clear cookies.

0 Votes 0 ·
EmilyDu-MSFT avatar image
0 Votes"
EmilyDu-MSFT answered RAVINDRANMANI-2584 commented

This issue is more related to lifetime of tokens. You could change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime by the PowerShell command.

 $sts = Get-SPSecurityTokenServiceConfig
 $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
 $sts.Update()
 iisreset

For more detailed information, you could refer to the article below.

The same client browser session has made '6' requests in the last '11' seconds.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your feedback. We set the SAML TokenLifetime (of ADFS RelyingPartyTrust) to 14 days and $sts.LogonTokenCacheExpirationWindow is set to 10 Minutes (default), so LogonTokenCacheExpirationWindow is less than the SAML TokenLifetime and the issue still occurred. So I think it must be something different or it's because of the 14 days?

We set the TokenLifetime to 14 days so users don't have to login again and again, since all users must use the web-based ADFS-Login and complained about too many login prompts every day or even every few hours. Is this related? If yes, what's the best solution to accomplish the login-prompt-issue? Would it be better to increase ADFS KmsiLifetimeMins to 14days instead and find a way to have KMSI enabled by default?

0 Votes 0 ·

This is not required.
Please check the user bookmarks. When user bookmarked urls Delete cookie option is not clearing cookies. So, we need to Uncheck first one and then check all remaining items to clear cookies.

0 Votes 0 ·
StewartJimmy-6892 avatar image
0 Votes"
StewartJimmy-6892 answered RAVINDRANMANI-2584 commented

@BenjaminFreitag-8735 did you ever find a solution to this issue? We started seeing the same issues on one of our SP farms and it is difficult to reproduce for testing. However, in our ADFS logs, we see the error daily from different users. Like you, have set our ADFS token life to 8 hours and our SharePoint token is set to the default 10 minutes. It would be nice to find out why SharePoint is not accepting the cookie. Our workaround has been to have users open the site in a different browser, but it is not a solution. We have not made any updates to our SP or ADFS farm since this started happening in April 2020, but have applied the monthly security patches to the OS.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, we just recommended affected users to delete the browser cookies.

0 Votes 0 ·

Also, please check the user bookmarks. When user bookmarked urls Delete cookie option is not clearing cookies. So, we need to Uncheck first one and then check all remaining items to clear cookies.

0 Votes 0 ·