Share via

After updating SharePoint On-Premisue with ADFS some users can't work because of old Auth-Cookie (MSIS7042)

Benjamin Freitag 101 Reputation points
2020-08-14T13:17:17.53+00:00

We already made a few updates from SharePoint 2013 to 2016 or 2019 successfully. When using ADFS-Authentication and preserving the same SiteCollection-URL on the new SharePoint Server, some users may still have an Authentication-Cookie for the URL but they can't work anymore with the new SharePoint until they logout from ADFS and login again (either via Logout-Link https://adfsurl/adfs/ls/?wa=wsignout1.0 or by deleting all Browser-Cookies). The detailed error in ADFS is: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds.

We never expecience such issues in production since years, but just when updating/moving the SiteCollection to a new SharePoint server. So I think this is not a general configuration-issue but has to do with the actual SharePoint-Server-Upgrade and outdated/obsolete user-cookies.

What can we do to prevent this issue when performing a SharePoint-Update?

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,399 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,282 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emily Du-MSFT 48,646 Reputation points Microsoft Vendor
    2020-08-17T09:28:31.95+00:00

    This issue is more related to lifetime of tokens. You could change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime by the PowerShell command. 

    $sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
iisreset

    For more detailed information, you could refer to the article below.

    The same client browser session has made '6' requests in the last '11' seconds.

  2. Stewart, Jimmy 6 Reputation points
    2020-09-10T13:03:55.933+00:00

    @BenjaminFreitag-8735 did you ever find a solution to this issue? We started seeing the same issues on one of our SP farms and it is difficult to reproduce for testing. However, in our ADFS logs, we see the error daily from different users. Like you, have set our ADFS token life to 8 hours and our SharePoint token is set to the default 10 minutes. It would be nice to find out why SharePoint is not accepting the cookie. Our workaround has been to have users open the site in a different browser, but it is not a solution. We have not made any updates to our SP or ADFS farm since this started happening in April 2020, but have applied the monthly security patches to the OS.

  3. Benjamin Freitag 101 Reputation points
    2024-12-10T11:57:53.86+00:00

    We made another migrations to SharePoint Server Subscription Edition and ran into the same issue again. SharePoint has this in the Event-Log:

    Cookie signature validation failed. This might indicate an issue with the configured STS Signing Certificate. Input Value: '05.t|adfs|user@mail.com,05.t|adfs|user@mail.com,https://my-sharepoint.com/,....', Signature Bytes: ...

    How can this be prevented? Is it necessary to migrate the STS Signing Certificate from the old SharePoint server to the new one? Or should the ADFS realm be changed?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.