Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Aleksander 45 posts 205 karma points
    Jun 05, 2018 @ 06:59

    Backoffice AD FS login Fails silently after a while. Starts looping

    Hey guys.

    i need your help.

    We're building a solution that relies on AD FS login for the back office. We got the login working fine locally. But the issue is that after the solution's been running for an hour or so i production, the backoffice login stops working and will just loop the user back to the umbraco login screen with no error. To fix this we restart the app pool, but doing this every hour really sucks.

    I noticed that when the login is failing the 302 umbraco cookie that's supposed to contain redirect info like:

    "cookies": [
                  "name": "UMB_EXTLOGIN",
                  "value": "***",
                  "path": "/",
                  "expires": null,
                  "httpOnly": true,
                  "secure": true

    And UMB_UCONTEXT and the like is missing it like so:


    Also it seems like ADFS is authenticating the user as it should, but my guess is since the cookie is missing the umbraco info, that's why the user is just redirected to /umbraco.

    I've also reported this on:

    But i'm still making this post in case that any of you guys have an idea what to do next?

    Here's our ADFS Authentication code if it's of any use. Cheers guys!

    public static class AdfsAuthenticationExtensions
            public static void ConfigureBackOfficeAdfsAuthentication(
                this IAppBuilder app,
                string caption = "AD FS",
                string style = "btn-microsoft",
                string icon = "fa-users")
                var adfsFederationServerIdentifier = ConfigurationManager.AppSettings["AdfsFederationServerIdentifier"];
                var adfsMetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"];
                var adfsRelyingParty = ConfigurationManager.AppSettings["AdfsRelyingParty"];
                var wsFedOptions = new WsFederationAuthenticationOptions
                    Wtrealm = adfsRelyingParty,
                    MetadataAddress = adfsMetadataEndpoint,
                    SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
                    Wreply = $"{adfsRelyingParty}umbraco",
                    Notifications = new WsFederationAuthenticationNotifications
                        SecurityTokenValidated = async context =>
                            var idClaim = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier);
                            var name = context.AuthenticationTicket.Identity.Name;
                            var email = context.AuthenticationTicket.Identity.FindFirstValue(ClaimTypes.Email);
                                var userService = ApplicationContext.Current.Services.UserService;
                                var issuer = idClaim.Issuer;
                                var val = idClaim.Value;
                                var userManager = context.OwinContext.GetUserManager<BackOfficeUserManager>();
                                var user = userService.GetByEmail(email);
                                var identity = await userManager.FindByEmailAsync(email);
                                LogHelper.Info(typeof(AdfsAuthenticationExtensions), string.Format("\nADFS USER login : \nID:{0}\nidClaim:{1}\nName:{2}\nEmail:{3}\n", identity.Id , idClaim, name, email));
                            catch (Exception e)
                                LogHelper.Info(typeof(AdfsAuthenticationExtensions), string.Format("\n{0}\nCORRUPT ADFS USER : \nName:{1}\nEmail:{2}\n", e.ToString(), name, email));
                    TokenValidationParameters = new TokenValidationParameters() { ValidAudience = adfsRelyingParty }
                wsFedOptions.ForUmbracoBackOffice(style, icon);
                //important, do this after calling "wsFedOptions.ForUmbracoBackOffice()" since this method 
                // overrides the AuthenticationType property
                wsFedOptions.AuthenticationType = adfsFederationServerIdentifier;
                wsFedOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(autoLinkExternalAccount: true,defaultUserGroups: new string[] { "Writers" }, defaultCulture: "da-DK"));
                wsFedOptions.Caption = caption;
  • Aleksander 45 posts 205 karma points
    Jun 05, 2018 @ 07:25

    in the logs when it's succeeding right after the ADFS Login is resolved we get:

     2018-06-05 09:19:54,136 [P11940/D2/T33] INFO  Umbraco.Core.PluginManager - Resolving umbraco.interfaces.IDiscoverable
     2018-06-05 09:19:54,136 [P11940/D2/T33] INFO  Umbraco.Core.PluginManager - Resolved umbraco.interfaces.IDiscoverable (took 0ms)
     2018-06-05 09:19:54,136 [P11940/D2/T33] INFO  Umbraco.Core.PluginManager - Resolving umbraco.interfaces.ICacheRefresher
     2018-06-05 09:19:54,136 [P11940/D2/T33] INFO  Umbraco.Core.PluginManager - Resolved umbraco.interfaces.ICacheRefresher (took 0ms)
     2018-06-05 09:19:54,198 [P11940/D2/T33] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username ** from IP address **

    None of these are there when it's failing, could it be issues with the plugin manager since it's not even trying to resolve? Or is that again because of the cookie.

  • Lars Nederberg 29 posts 84 karma points
    Jun 07, 2018 @ 07:57
    Lars Nederberg

    Hi Aleksander We have the same problem. It works the first time then we need to restart the app pool to make it work again. Where are you hosting your application? We are running on azure.

    / br Lars

  • Aleksander 45 posts 205 karma points
    Jun 07, 2018 @ 09:40

    I think it's a problem with umbraco itself. I wanted to debug the source code, but i havent been able to add other than umbraco.core, which didn't point me in the right direction.

    We are hosting the app on our clients own servers.

Please Sign in or register to post replies

Write your reply to: