Session Dropping for No Known Reason

Question

We have an Azure Web App that is hosting a Silverlight RIA Services application that is using Authentication / Authorization integrated with an Azure Active Directory.  I most cases this application is working well but in on one corporate network the session is being lost with the client app.  In general, periodically the web services stop responding and if you refresh it redirects to the Microsoft login page again.  All of this leads us to conclude that somehow the session has been lost or broken.

We have been able to confirm this is not a timeout issue as the timeout is very high for the session and we send a keep alive web service call every 15 seconds to try and keep any timeouts from occurring.  Also, the session cookieless attribute is not set, so it should be defaulting to a cookie based session.

Again this is only happening in on one corporate network and not elsewhere so we think this may have to do with something in that network that could cause the session to be lost. 

What could be causing this issue?

Thank you,

Justin

Answer 1

Hello Justin G 99

Since you are being logged out and being prompted again after the Authorization, I think the issue is mostly with being issued a new Session_State everytime after the O_auth.
This might happen if you have configured your Single Sign On to prompt everytime. Please check if your Single Sign on is configured correctly.

Refer to this link to get a sample code on this:

https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx

Thanks,
Syed Irfan Hussain

Answer 2

Syed,

Thank you for your response. 

We are not using any Azure AD code to enable this.  I have looked through the configuration of the Web App, the Active Directory, and the corresponding Application under the Active Directory and can not find any Single Sign On configuration settings.  So in other words, we are just using the Authentication / Authorization configuration capability setup in the Azure management portal for a give Web App.

This is configuration is working fine everywhere else except for one network environment.  Everywhere else, it authenticates through the Microsoft login page and the session stays active for the user throughout using the application.  In this one environment, instead the session eventually drops.

I have found this in the IIS logs where I can see the cs_username has the correct user, then approximately every 20 minutes it suddenly logs the web service calls with a blank cs_username, meaning the authenticated session has been lost somehow.  It will stay like this until we refresh the page and have to login again.

Thank you,

Justin

Answer 3

Hello Justin G 99,

If you are using an On-premise Active Directory, I suggest that you check if the client always sends an Auth-cookie when it sets up a session. Since you say that from the IIS logs you see that the client cs-username shows blank it is possible that it is failing to receive the authentication information.

I also suggest that you check the network traffic between your browser and the website. You can use the fiddler tool to do this. You can refer to this link that will give you more information on fiddler tool:
https://msdn.microsoft.com/en-us/library/windows/desktop/ff966510%28v=vs.85%29.aspx

Also please check if your Corporate Network is using any Proxy settings, please remove the proxy settings if it is set.

Thanks,
Syed Irfan Hussain

Answer 4

We are only using a standalone Azure AD for this application.  The specific functional scenario we are using is described in this MS blog post:

http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/

I didn't see any proxy settings in IE and automatic detection was off, but that doesn't mean there isn't something at the perimeter causing this issue and I am checking with their IT.

Fiddler is definitely next on the list, but the issue is how locked down these desktops are, it is going to take a lot of IT bureaucratic work to get me an admin right session to run Fiddler.

Do you think the Azure AD forum might have more information on this case?

Thank you,

Justin

Answer 5

Hello Justin G 99,

I am aware that you are using the authentication-authorization descibed in the link that you are referring to. If you have issues getting the fiddler, you might consider using IE Developer tools, the Developer Tools in other browsers.
However, since I am not an Expert in Active Directory, I request you to post your question in Active Directory Forums. You can follow the link below to post your question in Active Directory Forum:

https://social.msdn.microsoft.com/Forums/en-US/home?forum=WindowsAzureAD

Thanks,
Syed Irfan Hussain

Answer 6

Looks like some moderators are bouncing this forum post around, I will just post a new one to AAD.

Thank you for looking to this Syed.

Justin

Answer 7

We have an Azure Web App that is hosting a Silverlight RIA Services application that is using Authentication / Authorization integrated with an Azure Active Directory.  I most cases this application is working well but in on one corporate network the session is being lost with the client app.  In general, periodically the web services stop responding and if you refresh it redirects to the Microsoft login page again.  We can also see in the IIS logs that the cs_username goes from showing the user to nothing, so we can see when the user session just drops out.  All of this leads us to conclude that somehow the session has been lost or broken.

We have been able to confirm this is not a timeout issue as the timeout is very high for the session and we send a keep alive web service call every 15 seconds to try and keep any timeouts from occurring.  Also, the session cookieless attribute is not set, so it should be defaulting to a cookie based session.

We are trying to get Fiddler going on a system, but the desktops are locked down and IT approval is difficult for admin rights.  At least one particular user with the issue is running IE9.

Again this is only happening in on one corporate network  and not elsewhere so we think this may have to do with something in that network that could cause the session to be lost.

What could be causing this issue?  Are there any in depth documents on how a web app with authentication/authorization configured inter-operates with AD?

Thank you,

Justin

Answer 8

Hello Justin G 99,

I have checked on this with our Operations Team (including the Active Directory) and they would want to look into this issue further. I request you to create a Support Ticket with us to be able to check on this.

You can follow the link below and choose Technical to create a Support Ticket with us:

http://azure.microsoft.com/en-in/support/options/

Thanks,
Syed Irfan Hussain

Answer 9

Hi Justin. Sorry for not seeing this post until now. This doesn't sound like an AAD issue.  My initial guess is that somehow the session cookie is getting lost.  It would be ideal if you were able to get a Fiddler trace to see what the browser is able to send, though I understand this may be difficult.  A few additional questions to help narrow down the issue:

1. What kind of browser is being used on the network which shows this problem?
2. Do you know about how long the session lasts before being lost?
3. You mentioned only one network is affected. Do the working networks use the same application?
4. Are there any proxies that may be getting involved?

Thanks,
~ Chris

Answer 10

Chris,

No problem, we do have a ticket open and have been working with support.  We have hit a bit of a snag and are waiting for IT to help us address this issue from the client side.  We can see the federated cookies dropping off in the IIS logging, so something is killing the cookie or session on the client side.

1. What kind of browser is being used on the network which shows this problem?
   IE9 and it is dropping the cookie around every 20 minutes
   Chrome (not sure of the version) losing the cookie almost immediately
2. Do you know about how long the session lasts before being lost?
   See the above answer
3. You mentioned only one network is affected. Do the working networks use the same application?
   Yes they do and they do not have this issue
4. Are there any proxies that may be getting involved?
   I keep asking there IT and no answer yet.  However, this last weekend we tried a new computer system all together and the problem abated at least for a while. 

I will keep pushing their IT to get more answers on all of this.  Even if we can just hop on some other computers without this configuration, I would like to know what is the root cause.

Thank you,

Justin