Problem with ADFS

Vote:
 

Hi!

A customer is running a multi site, load balanced,  with WS-federation against their ADFS and it works well.

But sometimes they can't login on one of the sites on one of the webservers. 

When they try to visit https:///episerver they should have been redirected to the ADFS and get logged in, and after that redirected back to the dashboard in episerver. 

But sometimes when they try to login to one of the sites is just get stuck on pending the request to ADFS and nothing happens (check the exception from the log file below). 

If I restart the site, it works and I can login again. 

Anyone else with this kind of problem?

/ Henric

The exception in the log file:

2018-04-26 07:46:42,504 [23] ERROR EPiServer.Global: 1.2.5 Unhandled exception in ASP.NET

System.OperationCanceledException: The operation was canceled.

   at System.Threading.CancellationToken.ThrowOperationCanceledException()

   at System.Threading.SemaphoreSlim.d__31.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__3.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationHandler.d__c.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__b.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__8.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__5.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.d__5.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.d__2.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar)

   at System.Web.HttpApplication.AsyncEventExecutionStep.InvokeEndHandler(IAsyncResult ar)

   at System.Web.HttpApplication.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar)

System.OperationCanceledException: The operation was canceled.

   at System.Threading.CancellationToken.ThrowOperationCanceledException()

   at System.Threading.SemaphoreSlim.d__31.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__3.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationHandler.d__c.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__b.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__8.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.d__5.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.d__5.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.d__2.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar)

   at System.Web.HttpApplication.AsyncEventExecutionStep.InvokeEndHandler(IAsyncResult ar)

   at System.Web.HttpApplication.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar)

#191878
May 02, 2018 11:23
Vote:
 

Really weird. When the error is in effect, can you reach the ADFS /FederationMetadata.xml URL from the failing server?

Might be valuable to see which packages and .NET version you are running.

Can you persist the network log on a browser that's getting the error to see how far the user gets?

#192073
May 04, 2018 23:56
Vote:
 

We are getting the same error on one of our customers who is running the epi on DXC and using ADFS as their identity provider. What we see is that in the beginning of the session the browser is briefly accessing ADFS and as the token is still valid is being redirected to the site, which ends up in reporting 502 bad gateway.  Did you find any solution to this? 

#192128
May 08, 2018 10:05
Vote:
 

We are getting the same error on a loadbalanced environment using EPiServer 10, seems like when the error occurs its abit slow to fetch the metadata-xml. (no more than a guess for now)

#192279
Edited, May 14, 2018 11:31
Vote:
 

I would look on Github and add an issue for the WsFed Owin package. I would guess the error more likely is in there or on the ADFS side.

#192306
May 14, 2018 22:14
Vote:
 

I think we have found a work-around to this. Adding the following code in the beginning of the Owin pipeline configuration forces the user the signout and retrieve a new token, instead of using the cancellation token.

           app.Use(async (ctx, next) =>
            {
                try
                {
                    await next();
                }
                catch (OperationCanceledException)
                {
                    ctx.Authentication.SignOut();
                    HttpContext.Current.Response.Cookies.Clear();
                }
            });
 


Why and how is the cancellation token issued in the first place? Owin and federated security are not the most researched things in stackoverflow (or anywhere else in the internet) and it took us quite a while to find out what this is all about. As far as I see the this link (https://github.com/IdentityServer/IdentityServer3/issues/3710) describes the symptoms quite close even though the technology is not the same that we are using.

Further digging brought up this SO thread, where the answer number 5 was the one that worked and could be applied to us: (https://stackoverflow.com/questions/22157596/asp-net-web-api-operationcanceledexception-when-browser-cancels-the-request).

#194384
Edited, Jun 20, 2018 8:22
Vote:
 

When users sign in to a Microsoft cloud service such as Office 365, Microsoft Intune, or Microsoft Azure by using a federated user account, the connection to the Active Directory Federation Services (AD FS) service fails only when users try to do the following: MYBKExperience

Connect from a remote Internet location

Use email connections to sign in

#195763
Aug 07, 2018 13:29
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.