0

I have a .Net website using AD user credentials. The website is deployed on IIS 8. The users are frequently unable to login as the AD server cannot authenticate the user. Username/password are correct. However if I recycle the application pool then the users are able to login again. This happened almost every day, or sometimes even a couple of hours.

 Dim result As EAuthenticationResult = EAuthenticationResult.NotAthorised
            Try
                For Each provider As MembershipProvider In Membership.Providers
                    If provider.ValidateUser(userName, password) Then
                        result = EAuthenticationResult.OK
                        Exit For
                    End If
                Next
                'result = EAuthenticationResult.OK ' REMOVE --BRIJESH(Bypass authentication)
                If result <> EAuthenticationResult.OK Then
                    ModelState.AddModelError("_FORM", "The username or password provided is incorrect.")
                End If
            Catch ex As Exception
                ModelState.AddModelError("_FORM", "Failed authenticate the user against AD.")
                result = EAuthenticationResult.Failed
            End Try
            Return result

The server is low-balanced and currently the issue is occuring on one of the server. It returns with "Failed authenticate the user against AD." but I am not able to see the details. On the application pool log following error keep occuring on the server with issue happening. Not sure if it is related.

> Event code: 4005  Event message: Forms authentication failed for the
> request. Reason: The ticket supplied has expired.  Event time:
> 20/05/2019 9:15:23 AM  Event time (UTC): 19/05/2019 11:15:23 PM  Event
> ID: 14857b08bdfe4bf996c34404b09c936b  Event sequence: 523  Event
> occurrence: 25  Event detail code: 50202  Application information: 
> Application domain:
> /LM/W3SVC/1/ROOT/StudentSupportServices-1-132027582820585785  Trust
> level: Full  Application Virtual Path: /StudentSupportServices 
> Application Path:
> D:\Inetpub\legacyprivate\eduweb.StudentSupportServices\wwwroot\ 
> Machine name: PRWWWFN03  Process information:  Process ID: 6704 
> Process name: w3wp.exe  Account name: *****  Request information: 
> Request URL: **** Request path: *** User host address: *****  User: 
> Is authenticated: False  Authentication Type:  Thread account name:
> ****  Name to authenticate:  Custom event details:
Kevin Shen
  • 1
  • You didn't reveal enough code (like the actual authentication code), so it is impossible to tell what's wrong (like exceptions). Use application logging or a debugger to collect more data and you might be able to locate the culprit. – Lex Li May 21 '19 at 01:24
  • You have not got the refresh setup for your authentication. [token-refresh](https://social.technet.microsoft.com/Forums/windowsserver/en-US/7323360b-0e41-466b-9175-5d6c3991ce42/oauth-refresh-token-and-how-to-refresh-that?forum=ADFS). So it's working as designed. Each authentication has a limited lifespan after which the user should login again. whatever authentication logic you've got setup on your website needs to handle the refresh of the token. – lloyd May 21 '19 at 03:31
  • Either expand your token refresh [oauth token refresh](https://stackoverflow.com/questions/42079767/using-adfs-oauth-refresh-token) (not recommended) or handle the refresh properly. See [nuget adfs packages](https://www.nuget.org/packages?q=Tags%3A%22SSO%22+adfs) that are related to adfs auth workflow. – lloyd May 21 '19 at 03:33
  • Added: It is on purpose that the user needs to re-login to the website. The issue was when the user type in the username/password click login, the provider.ValidateUser function directly throws an exception, unless the application pool is recycled. I am not able to get exception details now as this is a PROD only issue. And if I debug locally it will not happen. – Kevin Shen May 21 '19 at 03:49

0 Answers0