AD FS 2.x: How to Tune or Disable Infinite Loop Detection (MSISLoopDetectionCookie)

AD FS 2.x: How to Tune or Disable Infinite Loop Detection (MSISLoopDetectionCookie)

AD FS 2.x, by default, writes a cookie to web passive clients named MSISLoopDetectionCookie. This cookie holds a timestamp value and a number of tokens issued value so that AD FS can keep track of how often and how many times a passive client has visited the Federation Service within a specific timespan.

If a passive client visits the Federation Service for a token five (5) times within 20 seconds, AD FS detects this based on the data in the MSISLoopDetectionCookie cookie, and throws an exception, landing the passive client on the AD FS error page as follows:

MSIS7042: The same client browser session has made '{0}' requests in the last '{1}' seconds. Contact your administrator for details.

Entering into infinite loops is often caused by a misbehaving relying party application that is not successfully consuming the token issued by AD FS, and the application is sending the passive client back to AD FS, repeatedly, for a new token. AD FS is willing to issue the passive client a new token each time, as long as they do not exceed 5 requests within 20 seconds. Else, they will land on the AD FS error page as described above.

Also, there may be corner cases where user behavior can trigger this exception. For example, a user may be going back and forth between multiple claims-based relying party applications, and they may be utilizing their browser's Back button in order to navigate. By using the Back button for navigation, the user may trigger a token request to the AD FS server. If the user uses the Back button in the browser rapidly, the user may cause AD FS to throw the infinite loop detection exception.

The steps below describe how to either tune or disable the loop detection mechanism in AD FS 2.x. Microsoft does not recommend disabling the loop detection feature, since it is protecting users from entering into infinite loop scenarios. Microsoft recommends tuning the thresholds of the loop detection feature if you feel you must make a change to the way loop detection is functioning in AD FS.
 
Default values:
enabled="true"
timeIntervalInSeconds="20"
maximumTokensIssuedInInterval="5"

 
Minimum values for the thresholds:
timeIntervalInSeconds="5"
maximumTokensIssuedInInterval="1"

 

Steps

 

  1. Explore to the inetpub directory (typically C:\inetpub)
  2. Explore to \adfs\ls
  3. Edit web.config in Notepad
  4. Scroll to the <microsoft.identityServer.web> section and add the following element to the configuration:

<loopDetection enabled="true" timeIntervalInSeconds="20" maximumTokensIssuedInInterval="5" />

       5. Replace the values above with your desired values
       6. Save and close web.config
       7. Test your infinite loop scenario to ensure the desired results

 

 

Leave a Comment
  • Please add 2 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • adamlewis06 edited Original. Comment: added correct double-quotes to the integer values

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • adamlewis06 edited Original. Comment: added correct double-quotes to the integer values

Page 1 of 1 (1 items)