Troubleshooting WIF ID3206 Error

Problem Statement

While trying to browse to a WIF enabled application - https://myApplication/WebAppHome, we get the following error –

ID3206: A SignInResponse message may only redirect within the current web application: '/DPWebApps' is not allowed.

However, the same application works when we are browsing with a trailing slash – “/”, i.e. https://myApplication/WebAppHome/

The goal is to troubleshoot the ID3206 exception.

 

Research

This issue occurs when the URL of the relying party lacks forward slash at the end.

Doing some fair amount of research, we are able find out that this is a known issue. The following links talk more about this –

https://social.msdn.microsoft.com/Forums/en-US/6c522ab2-bd5f-4cd0-a07b-98c36c78b0ef/please-vote-for-microsoft-connect-issue-federationexception-id3206-a-signinresponse-message

https://social.msdn.microsoft.com/Forums/vstudio/en-US/adcdd533-d5e3-4af9-b3f5-b9a6d06b5c44/id3206-a-signin-response-may-only-redirect-within-the-current-web-application-url-is-not-allowed

 

Workarounds

There are quite a number of workarounds available to get around the issue. They are listed as below:

 

  1. Use WSFederationAuthenticationModule and override RedirectToIdentityProvider

 

public class FixedWSFederationAuthenticationModule : WSFederationAuthenticationModule

{

    public override void RedirectToIdentityProvider(string uniqueId, string returnUrl, bool persist)

    {

 //First Check if the request url doesn't end with a "/"

if (!returnUrl.EndsWith("/"))

{

//Compare if Request Url +"/" is equal to the Realm, so only root access is corrected

//https://localhost/AppName plus "/" is equal to https://localhost/AppName/

//This is to avoid MVC urls

if (String.Compare(System.Web.HttpContext.Current.Request.Url.AbsoluteUri + "/", base.Realm, StringComparison.InvariantCultureIgnoreCase) == 0)

{

//Add the trailing slash

returnUrl += "/";

}

}

base.RedirectToIdentityProvider(uniqueId, returnUrl, persist);

}

}

 

       2.  Or, you can add a handler in global.asax like the one below which detects the "no-trailing-slash" situation and redirects to the same path with the slash appended.

 private void Application_BeginRequest(object sender, EventArgs e)

{

       if ( String.Compare( Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0  !( Request.Path.EndsWith("/") ) )

                    Response.Redirect(Request.Path + "/");           

}

 

     3.  Or, this can also be handled in the Application_Error method of Global_asax file.
  
         if(ex.Message.StartsWith("ID3206:"))

              {

                    if (String.Compare(Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))

                          Response.Redirect(Request.Path + "/");

              }

 

        Here ex is the ExceptionContext object.

 

 4.       Other workarounds may involve adding a URL rewrite rule in IIS that adds a trailing slash.

Comments

  • Anonymous
    February 01, 2017
    A better place I would choose is to override WSFederationAuthenticationModule.GetReturnUrlFromResponse.