locked
IFD Log In Issue (federation passive request) RRS feed

  • Question

  • Hello,

    We have a CRM 2011 system with IFD. Only one user cannot log in CRM, An error has occured followings:

    But other users log in successfully.

    How can I solve this issue?

    Thanx
    Yildiray

    Encountered error during federation passive request.

    Additional Data

    Exception details:

    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '10' seconds. Contact your administrator for details.

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.UpdateLoopDetectionCookie()

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSignInResponse(MSISSignInResponse response)


    Friday, January 4, 2013 12:03 PM

All replies

  • Hello YILDIRAY.KOYUNCU,

    The issue you are experiencing is coming from ADFS so i am moving this post to the the right forum.

    you may also take a look to this link:  http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures%28WS.10%29.aspx

    for ADFS 2.0  please use: http://social.msdn.microsoft.com/Forums/en-US/geneva/threads/



    Best regards,
    Vishal Swami
    Partner Online Technical Community
    -----------------------------------------------------------------------------------------
    We hope you get value from our new forums platform! Tell us what you think:
    http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
    ------------------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 14, 2013 11:58 AM
  • you are redirecting people to the forum they are already posting their Q in
     
    am I missing something? THIS IS THE �??GENEVA�?� forum
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "VishalSwami [MSFT]" wrote in message news:66c99041-bd09-4f52-9403-96a35eb936cc@communitybridge.codeplex.com...

    Hello YILDIRAY.KOYUNCU,

    The issue you are experiencing is coming from ADFS so i am moving this post to the the right forum.

    you may also take a look to this link:  http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures%28WS.10%29.aspx

    for ADFS 2.0  please use: http://social.msdn.microsoft.com/Forums/en-US/geneva/threads/



    Best regards,
    Vishal Swami
    Partner Online Technical Community
    -----------------------------------------------------------------------------------------
    We hope you get value from our new forums platform! Tell us what you think:
    http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
    ------------------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 14, 2013 7:10 PM
  • The particular error is telling you that CRM is requesting a redirect to ADFS for authentication, ADFS POST's the token back to CRM, and CRM responds saying it needs to go back to ADFS for authentication, and repeat.

    After a few times ADFS catches on and fails the request because it looks questionable.

    You need to figure out why CRM is failing the authn and requesting the user to reauth. My guess is that CRM doesn't see a particular value it needs in the token.


    Developer Security MVP | www.syfuhs.net

    Monday, January 14, 2013 11:58 PM
  • Yildiray,

    I am having the same exact problem with ONE user. See my post here: https://community.dynamics.com/product/crm/f/117/t/101535.aspx

    Hopefully, we can get to the root of this together.

    Wednesday, February 13, 2013 9:40 PM
  • I have just had this same issue, which took me much longer to resolve than I'd like to admit...

    I'm using IE10 and when I tried to login to CRM I would see a redirection loop between ADFS (https://sts.domain.com.au) and CRM (https://crm.domain.com.au) until I got the ADFS error page with this event log error on the ADFS server: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds. Contact your administrator for details.

    I already had the CRM server URL as a trusted site in IE, but not the ADFS URL. After trying to fix the issue I found this knowledge base article: http://support.microsoft.com/kb/2514318 and after adding the domain which covers CRM and ADFS to the IE trusted site list (https://*.domain.com.au) I was able to login.

    Such simple things can have such a huge impact.

    Tuesday, May 14, 2013 5:05 AM
  • I'm glad you were able to find a resolution, and that KB certainly seems like a reasonable solution.

    Though I look at the problem and the solution and I'm struggling to find out what the underlying cause is here. I wonder if someone from Microsoft can shed some light on this.

    The only reasonable explanation that I see given the evidence is that Dynamics is doing something funny, possibly with an ActiveX control or something on log in, and this funny thing isn't trusted in certain scenarios.


    Developer Security MVP | www.syfuhs.net


    Tuesday, May 14, 2013 6:08 AM
  • Hi Steve,

    As I recall, SharePoint 2010 exhibits the same behaviour if the RP and AD FS live in different zones, e.g. Trusted and Intranet...

    Regards,

    Mylo

    Tuesday, May 14, 2013 7:08 PM
  • Oh, interesting. I wonder why.

    Guess that shows how little I've touched ADFS directly in the last year. :D


    Developer Security MVP | www.syfuhs.net

    Tuesday, May 14, 2013 11:03 PM
  • Never really looked beyond solving the Ping-Pong behaviour i'm afraid.. neat party trick though ;-)

    Wednesday, May 15, 2013 6:39 PM