Load balancing en FBA claims


Zoals Steve Peschka een tijd geleden al poste op zijn blog, is het voor claims belangrijk om te zorgen dat er enige vorm van affinity plaats vind op de load balancer om te zorgen dat een gebruiker gedurende zijn sessie op dezelfde server blijft.
Zie:

http://blogs.technet.com/b/speschka/archive/2011/10/28/make-sure-you-know-this-about-sharepoint-2010-claims-authentication-sticky-sessions-are-required.aspx
http://technet.microsoft.com/en-us/library/cc288475.aspx

Important:

You need to set network load balancing to single affinity when using claims-based authentication. If you use SAML token-based authentication with AD FS on a SharePoint Foundation 2010 farm that has multiple Web servers in a load-balanced configuration, there will be an effect on the performance and functionality of client Web-page views. When AD FS provides the authentication token to the client, that token is submitted to SharePoint Foundation 2010 for each permission-restricted page element. If the load-balanced solution is not using affinity, each secured element is authenticated to more than one SharePoint Foundation 2010 server, which will result in rejection of the token. After the token is rejected, SharePoint Foundation 2010 redirects the client to authenticate again back to the AD FS server. After this occurs, an AD FS server will reject multiple requests that are made in a short time period. This behavior is by design, to protect against a denial of service attack. If performance is adversely affected or pages do not load completely, set network load balancing to single affinity. This isolates the requests for SAML tokens to a single Web server.

For information about configuring Active Directory Federation Services (AD FS) 2.0 in SharePoint Foundation 2010, see How to configure AD FS v 2.0 in SharePoint Foundation 2010.

 

Nu gaan deze artikelen eigenlijk specifiek over federated claims, maar een probleem bij een klant laatst, welke forms based authentication draaide, liet zien dat het ook geldt voor FBA claims. Wat je in onderstaande ULS melding kunt zien is dat het opvragen van resources vanuit dezelfde library voor dezelfde page render de ene keer via de ene server gaat, en de andere keer via de ander. De ene keer gaat het mis, en de andere keer goed.
Het bizarre van dit probleem is dat het heel sporadisch gebeurd. Honderden, zo niet duizenden requests gaat het goed, en ineens gaat het mis. Terwijl ook in die voorgaande duizenden de requests over beide servers gaan.
Men weet nog niet precies wat het veroorzaakt.

Echter zolang je zorgt dat gedurende de levensduur van het FedAuth cookie (wat gebruikt wordt door SharePoint om het user token op te vragen en te autoriseren), een gebruiker niet op een andere server komt als waar het gegenereerd is, zal je het probleem dus niet hebben.

Request 1

Timestamp Process TID Area Category EventID Level Message Correlation

06/21/2012 00:50:03.59 w3wp.exe (SERVER33:0x1448) 0x0E90 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://uk-applicatie-ut-pb.Klant.com/PublishingImages/Klant.U2.Images/bg-body.gif) 39f695df-034c-4cf5-bfb7-822ae2b18aaa

06/21/2012 00:50:03.59 w3wp.exe (SERVER33:0x1448) 0x0998 SharePoint Foundation General af71 Medium HTTP Request method: GET 39f695df-034c-4cf5-bfb7-822ae2b18aaa

06/21/2012 00:50:03.59 w3wp.exe (SERVER33:0x1448) 0x0998 SharePoint Foundation General af75 Medium Overridden HTTP request method: GET 39f695df-034c-4cf5-bfb7-822ae2b18aaa

06/21/2012 00:50:03.59 w3wp.exe (SERVER33:0x1448) 0x0998 SharePoint Foundation General af74 Medium HTTP request URL: /PublishingImages/Klant.U2.Images/bg-body.gif 39f695df-034c-4cf5-bfb7-822ae2b18aaa

06/21/2012 00:50:03.60 w3wp.exe (SERVER33:0x1448) 0x0E90 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://uk-applicatie-ut-pb.Klant.com/PublishingImages/Klant.U2.Images/bg-body.gif)). Execution Time=12.1881412302402 39f695df-034c-4cf5-bfb7-822ae2b18aaa

 

Request 2

Timestamp Process TID Area Category EventID Level Message Correlation

06/21/2012 00:50:03.49 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://uk-applicatie-ut-pb.Klant.com/PublishingImages/POImage_logo_gb_en-GB.png) 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Claims Authentication fsq7 High Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The security token username and password could not be validated.. 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Claims Authentication 0000 Unexpected Could not rebuild forms user token. 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x0914 SharePoint Foundation General af71 Medium HTTP Request method: GET 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x0914 SharePoint Foundation General af75 Medium Overridden HTTP request method: GET 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.51 w3wp.exe (SERVER32:0x284C) 0x0914 SharePoint Foundation General af74 Medium HTTP request URL: /PublishingImages/POImage_logo_gb_en-GB.png 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.52 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.52 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (PostRequestExecuteHandler). Execution Time=11.3106554045277 8e77396a-0c94-4b52-9555-63d58aa804cc

06/21/2012 00:50:03.52 w3wp.exe (SERVER32:0x284C) 0x1920 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://uk-applicatie-ut-pb.Klant.com/PublishingImages/POImage_logo_gb_en-GB.png)). Execution Time=44.8073707691899 8e77396a-0c94-4b52-9555-63d58aa804cc

 

Succes!!!


Skip to main content