Share via

ADFS 3.0 error 364 (msis 7042) on ADFS + error 224 on ADFS PROXY maybe after windows update

Mattia Minervini 101 Reputation points
2020-03-24T13:59:29.21+00:00

Hi all!
Dynamics on premise, exposed with ADFS 3.0 and ADFS PROXY
So i have this scenario:

1 vm x sql (lan)
1 vm x dynamics (lan)
2 vm x dns and dc (lan)
1 vm x adfs (lan)
1 vm x adfs proxy (Dmz)

After windows update for windows 2012 r2 on ADFS and ADFS PROXY vm, it stops to authenticate from external
When i try opening https url, it loops until error
On lan, it works

on browser client this error:

Activity ID: 00000000-0000-0000-5000-0080000000d0
Relying party: CRM CLAIMS RELYING PARTY
Error time: Tue, 24 Mar 2020 07:53:03 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

on ADFS server i can try this log:
error id 364
Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
https://mydynamics.mydomain.com/

Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

on ADFS SERVER, enabling AD FS tracing, this 3 error:

  1. Error 1

Detected an instance where RP is not configured properly, and requesting tokens repeatedly

  1. Error 2

Exception: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds. Contact your administrator for details.
StackTrace: at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  1. Error 3

Passive pipeline error

on ADFS proxy
error id 224

user: NETWORK SERVICE Event id 224

The federation server proxy configuration could not be loaded correctly from the configuration file ''.
Additional Data
Error:

User Action: A configuration element specified in the data above is misconfigured. Correct the specified error in the AD FS configuration database.

This happens with different client, with different browser (no trust site oro protection mode IE works)
Just rebooted , vm CRM DYNAMICS, vm ADFS and vm ADFS PROXY no success
Thanks ask me for details
M

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,292 questions
0 comments
Accepted answer
  1. Mattia Minervini 101 Reputation points
    2020-03-24T18:22:16.48+00:00

    SOLVED IN THIS WAY!!!

    Log in as an Administrator on the Windows Server that hosts the WAP (ADFS Proxy) role.

    Obtain the IDs of the WAP applications for CRM. In a Windows PowerShell window, type the following command:

    PS C:\Users\Admin> Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL

    ID Name ExternalURL

    g58fb28a-c2c7-242d-c8ec-841787820ctt CRM https://CRMExternal URL/
    g85d61e1-1n3e-6003-5f42-6ffc517046g0 Dev https://devcrm.yourDomain.com/
    923a8081-4f28-b8d2-ede0-982236e525n3 AUTH authcrm.yourdomain.com

    Then

    Execute following command using PowerShell, using the IDs obtained in the previous command, to disable URL Translation in Response Headers

    Set-WebApplicationProxyApplication -ID <WebApplicationServerDomainID> -DisableTranslateUrlInResponseHeaders
    Set-WebApplicationProxyApplication -ID <DiscoveryWebServiceDomainID> -DisableTranslateUrlInResponseHeaders
    Set-WebApplicationProxyApplication -ID <ExternalDomainURLID> -DisableTranslateUrlInResponseHeaders
    Set-WebApplicationProxyApplication -ID <OrganisationURLID> -DisableTranslateUrlInResponseHeaders

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.