This project has moved. For the latest updates, please go here.

WsFederationAuthentication stops issuing .AspNet.ExternalCookie at random

Nov 27, 2015 at 9:51 AM
Edited Nov 27, 2015 at 9:57 AM
I have this problem that to me looks like a serious bug in the WsFederationAuthentication in this
library. And I'm hoping one of the developers on this project will take time to read my description.

I have a website running on IIS 8/Windows 2012, that uses Microsoft.Owin.WsFederationAuthentication against a ADFS 2.0 server on Windows 2012. The login process runs smoothly for a period after each app restart/recycle, and then after a random period it will stop issuing the .AspNet.ExternalCookie for all users. When this happens the application stops issuing this cookie for all users and all logins until the web application is restarted or the application pool is recycled.

I have examined and compared the form data and the cookies posted to the web site by the page generated after the last visit to /adfs/ls, and can see no differences in the RequestSecurityTokenResponse, between successfull logins and failed logins. I've also confirmed that the post data contains a WsFedOwinState=<string> in the wctx form data.

The only difference between the two POST's are that there is no .AspNet.ExternalCookie in the response when the login stops working. Which will cause the login to fail because I get a null back when i call into the middleware to get loginInfo during login using "await OwinContext.Authentication.GetExternalLoginInfoAsync()"

I've enabled logging for the middleware by setting up <system.diagnostics> in my web config, hoping that one of the log statements in the WsFederationAuthenticationHandler could tell me something. Unfortunately nothing comes out in the Microsoft.Owin log I've created, when logins fails. I've checked the source code for the WsFederationAuthenticationHandler, and noticed that there are a number of places where the AuthenticateCoreAsync method, I'm guessing handles the post, returns null, without logging anything, which makes it difficult knowing exactly what goes wrong.

I've had this problem in produktion on three different site setups accross two different servers, and I'm starting to think this is a bug in that has to be corrected in the source code.

Jesper Hauge
Dec 21, 2015 at 1:22 PM
Did you ever solve this? I am having the same problem with the .AspNet.ApplicationCookie, but only on a live IIS server.