Make Sure You Know This About SharePoint 2010 Claims Authentication – Sticky Sessions Are REQUIRED


Hey folks, I’m here to tell you that I too now have my own story of getting burned by an anomaly of using claims authentication that I wish would have been clearer to me.  This is such a fundamental aspect of deploying it that I want to make sure I call it out front and center here so that the same thing doesn’t happen to you. 

Very simply stated, if you’re using claims authentication, you MUST use affinity in your load balancing solution.  TechNet does describe this, but only as a very brief side note, and not in an appropriately convincing fashion.  The article is at http://technet.microsoft.com/en-us/library/cc288475.aspx and says this:

Note: If you use SAML token-based authentication with AD FS on a SharePoint Foundation 2010 farm that has multiple Web servers in a load-balanced configuration, there might be an effect on the performance and functionality of client Web-page views. When AD FS provides the authentication token to the client, that token is submitted to SharePoint Foundation 2010 for each permission-restricted page element. If the load-balanced solution is not using affinity, each secured element is authenticated to more than one SharePoint Foundation 2010 server, which might result in rejection of the token. After the token is rejected, SharePoint Foundation 2010 redirects the client to authenticate again back to the AD FS server. After this occurs, an AD FS server might reject multiple requests that are made in a short time period. This behavior is by design, to protect against a denial of service attack. If performance is adversely affected or pages do not load completely, consider setting network load balancing to single affinity. This isolates the requests for SAML tokens to a single Web server.

I’ll take the hit for not noticing this and not taking it more seriously, but I’m blogging about this now so hopefully you won’t have to.  I’ve italicized the words in the note that clearly do not give this justice (nor should it be a note for that matter – it should be in big bold letters).  If you don’t use affinity you will see some of these kinds of issues occur:

  • You may randomly be redirected back to a login page.
  • You may end up in an authentication loop that causes ADFS to halt the request because of a perceived denial of service (DOS) attack, as the note states.
  • If you look at a trace of the activity, you may see SharePoint setting your fedauth cookie to an expired value, then start making the requests again to ADFS, which then, for reasons which are still unclear to me, either won’t issue you a non-expired cookie, or SharePoint looks at and transforms it to an expired cookie.  That’s what kicks off that DOS cycle I described above.  In retrospect now I realize there have been a few cases in the past where folks have asked me about this happening to them, and I realize now that it was probably the lack of sticky sessions that was the culprit.

In short, there should be no confusion or waffling on this issue going forward – for SharePoint 2010, if you are going to use claims authentication, USE AFFINITY WITH YOUR LOAD BALANCER!

UPDATE 6/22/2012 – My friend Mark P. correctly points out that this affinity is required for FBA too, as well as SAML claims.  Make sure you are on top of this for both!

Comments (19)

  1. Anonymous says:

    Just wanted to say, thanks for the insight you provide in this post. It is much appreciated.

  2. alexandrad9x says:

    Tao http://dichvuketoanlongbien.com/
    Rủa
    http://dichvuketoanlongbien.com/a2-96-dich-vu-ke-toan-tron-goi.html
    Thằng http://dichvuketoanlongbien.com/a2-98-dich-vu-ke-toan-thue.html
    Cờ
    http://dichvuketoanlongbien.com/a2-103-dich-vu-bao-cao-tai-chinh.html
    http://dichvuketoanlongbien.com/a2-97-dich-vu-quyet-toan-thue.html
    Nào
    http://dichvuketoanlongbien.com/a2-114-dich-vu-ke-toan-tai-29-quan-huyen.html
    Soi
    http://dichvuketoanlongbien.com/i780-dich-vu-ke-toan-thue-tron-goi-tai-bac-ninh.html
    Tài
    http://dichvuketoanlongbien.com/i779-dich-vu-ke-toan-thue-tron-goi-tai-bac-giang.html
    Khoản
    http://dichvuketoanlongbien.com/i778-dich-vu-ke-toan-thue-tron-goi-tai-phu-tho.html

    http://dichvuketoanlongbien.com/i781-dich-vu-ke-toan-thue-tron-goi-tai-hung-yen.html
    Link
    http://dichvuketoanlongbien.com/i782-dich-vu-ke-toan-thue-tron-goi-tai-vinh-phuc.html
    Của
    http://dichvuketoanlongbien.com/i783-dich-vu-ke-toan-thue-tron-goi-tai-hai-phong.html
    Tao. http://www.trungtamketoan.com.vn/
    Chúng
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-ha-noi.html
    Mày
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-tp-hcm.html
    Đủ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-quang-ninh.html
    Trình
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-duong.html
    Thì
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-giang.html
    Tự
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-ninh.html
    Đi
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-phong.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-nam-dinh.html
    Làm.
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thai-binh.html
    Việc
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thanh-hoa.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-vinh-phuc.html
    Phải
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hung-yen.html
    Rẻ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-phu-tho.html
    Rách
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-binh-duong.html
    Như http://www.tosvn.com
    Thế. http://iketoan247.blogspot.com
    Loại http://tailieuveketoan.blogspot.com
    Chó http://mauhinhnendep.blogspot.com
    Má. http://www.tosvn.com/search/label/Hack%20CF
    Tao http://www.tosvn.com/search/label/Hack%20AvatarStar
    Rủa http://www.tosvn.com/search/label/Hack%20Warcraft-Dota2
    Những http://hocketoan360.com/category/tai-lieu-ke-toan/
    Thằng http://iketoan247.blogspot.com/search/label/thong-tin-kinh-te
    Soi http://iketoan247.blogspot.com/search/label/tin-bai-ve-thue
    Tao http://hoclamketoan.edu.vn/
    Sẽ http://hoclamketoan.edu.vn/category/khoa-hoc-ke-toan
    Tan http://hoclamketoan.edu.vn/category/dich-vu-ke-toan
    Cửa http://hoclamketoan.edu.vn/category/hoc-lam-ke-toan
    Nát http://hoclamketoan.edu.vn/category/tai-lieu-ke-toan
    Nhà http://hocketoan360.com/
    Haha http://hocketoan360.com/category/khoa-hoc-ke-toan/
    http://hocketoan360.com/category/dich-vu-ke-toan/

  3. Anonymous says:

    Hi Steve,

    I hope this will not required for SP2013 as there is no Sticky session required in 2013 because of Distributed cache mechanism. Please correct me if I am wrong.

  4. Luis Azedo says:

    Hi Steve,

    as i understand, the cookie issued by one wfe in a NLB is not valid on the other WFEs ? if we set affinity to single and then we must bring one wfe down for maintenance, everybody on that wfe will have to relogin and that's not a desired effect.

    is there a workaround ? something related to certificates used  ?

  5. Steve says:

    Hi Luis, your assessment is correct, and no, there isn't a work-around at this time.

  6. Luis Azedo says:

    Hi Steve and for the reply,

    do you think that replacing SPTokenCache may be the way ? SPTokenCache has a internal SPSecurityTokenCache that keeps the data in memory, and we could provide a database to persist the data but, there are some internal static functions that are called from other classes/methods so i'm not sure if that's a good way to try to workaround.

  7. Steve says:

    No, I can't personally imagine trying to replace the SPTokenCache.  It's hard to believe that it would be easy or supported.  Certainly a lot more work and lot more unknowns than just enabling affinity on your load balancer.

  8. Vakhtang Agayan says:

    Steve, thank you very much for keeping this blog, it is a constant source of information for solution architects like me. We have just recently encountered this issue and tried to resolve it by using a custom set of CookieTransforms added to the OnServiceConfigurationCreated of global.asax, thinking that the cookie is encrypted using machine's local DPAPI, and this is why the second node would reject it, but it didn't help. In the process we discovered that it looks like the only transform that SPTokenCache is applying to the cookie is DeflateCookieTransform. Without the RsaEncryptionCookieTransform, is the FedAuth cookie secure altogether?

  9. Peter says:

    Hi Steve,

    another question – when you configure ISA for example, you can set either Cookie based or Source-IP based load balance mechanism. Most cases, you need Cookie based. For something executed on the server, you would want Source-IP though in order to make sure the request stays on the same server. How can this be achieved?

    Peter

  10. Peter says:

    Hi Steve,

    Continuing on the above – an example would be calling a web service from WFE1. In this case, if you do not handle the cookies during the calls, you would want the request to stay on WFE1, not go to WFE2 as it will return a 403 in this case.

    Peter

  11. Basudeb Chatterjee says:

    Hi Steve,

    I'm really glad I ran into your post. I have an interesting situation at my current client and I'm trying to figure out if this scenario is even feasible. They want their session to essentially never timeout…ever. The only exception to this is if the user clears their browser cache and the FedAuth cookie is removed.

    So, my first thought was I would set the STS token lifetime to something like 5 years and use persistent cookies. This seems to work fine….until we deploy to a load balanced environment. My theory is that the sticky session in the load balancer has a session timeout of 20 minutes. So, in effect, after 20 minutes of inactivity, the user could hit a different WFE regardless of  the FedAuth cookie that was generated by the STS at the original point of authentication. When this happens, they will need to reauthenticate since the token generated from another WFE will not authenticate properly. Is there an effective way around this? I don't think setting the Sticky Session timeout to something huge is secure or even possible.

    Thanks,

    Basudeb

  12. Mikael Starck says:

    Hi we are running into a similar problem – situation with Cisco ACE loadbalanser, we are using Azure, ACS and Claims Auth to login to a SharePoint 2010 site behind https. A problem we have while adding the second Authoring server is what you describe above,
    we get redrirected to the Authentication page. ACE however support SSL ID stickness, but it can not terminate it… what is your opinion about that?

    as of:

    http://www.cisco.com/…/sticky.html

    Kindest regards

    Mikael

  13. Jaylan aka Jayla says:

    i luv you steve

    *about to fait*

    call me steve ba by please…anybody know where he is i been looking for him and if you do chat with me on this ecsict computer website

  14. Eric Raff says:

    Sharing a tip about how to know if your sticky session config is really sticky.

    You will need to do this on each of your SharePoint Web Front End servers.

    1) Open IIS Manager and highlight the SharePoint "site" (WebApplication) you are working with.

    2) Go to the HTTP Response Headers and then click Add to add a new HTTP Response header that IIS sends back on all responses.

    3) In the Name: field, put in the name of the HTTP header you want to use. Call it something like X-SPServer. It should start with X- is all. In the Value: field, put in the name of your SharePoint server, or a unique string that will help you identify this particular Server.

    NOTE: This will cause an IIS Reset to take place as this entry gets put into the web.config file of the SharePoint webapp.

    Then when troubleshooting you just need to look at the HTTP response headers using developer tools (F12), firebux, HTTPFox, fiddler etc. and it will tell you exactly what SharePoint server you are interacting with and if it switches to another server, you can easily see that.

  15. Richard Weston says:

    Just to make your readers aware. This scenario (same as ours) requires sticky sessions but be even more cautious if you are planning on deploying SharePoint 2010 to Azure VMs as Azure DOES NOT support sticky sessions and as a result you can only get away with using 1 WFE when utilizing claims/fba auth!

    Rich

  16. Jai says:

    Great article, Steve thanks for sharing. I have configured my sticky session to last 60 min. and my fedAuthCookie for 8 hrs. but some users are still experiencing page not found error from time to time.

    PING is my identity provider. any thoughts ?

  17. TPimpao says:

    Hi,

    I'm having some issues in a hardware NLB environment. My question is if the requirement of sticky session apply only on Sharepoint WFE or also in the ADFS WFE?

    My metric at this time are:

    Sharepoint WFE

    – Least Connections

    – Client IP Afinnity

    ADFS WFE

    – Least Connections

    – Client IP Afinnity

    Thanks.

  18. ASF says:

    http://www.shopbestgoods.com/
    http://www.nike-jordanshoes.com/
    http://www.beatsbydreoutlet.net/
    http://www.michaelkorsus.com/
    http://www.polo-tshirts.com/
    http://www.northsclearance.com/
    http://www.ralph-laurensale.com/
    http://www.gucci-shoesuk2014.com/
    http://www.michael-korsusa.com/
    http://www.polo-outlets.com/
    http://www.ralphslauren.co.uk/
    http://www.marcjacobsonsale.com/
    http://www.mcmworldwides.com/
    http://www.salongchamppairs.com/
    http://www.canada-gooser.com/
    http://www.burberryoutlet2014.com/
    http://www.michaelkors.so/
    http://www.hermes-outletonline.com/
    http://www.oakley-sunglassoutlet.com/
    http://www.north-faceoutlets.net/
    http://www.moncler-clearance.com/
    http://www.woolrich-clearance.com/
    http://www.barbour-jacketsoutlet.com/
    http://www.moncler-jacketsoutletonline.com/
    http://www.monsterbeatsbydres.net/
    http://www.louis-vuittonblackfriday.com/
    http://www.lv-guccishoesfactory.com/
    http://www.mcmoutlet-jp.com/
    http://www.cheapdiscountoutlet.com/
    http://coachoutlet.iwopop.com/
    http://www.coachsfactoryoutlet.com/
    http://www.coach-blackfriday2014.com/
    http://www.coach-storeoutletonline.com/
    http://www.coach-factorysoutletonline.com/
    http://www.coachccoachoutlet.com/
    http://www.coach-factories.net/
    http://www.coach-pursesoutletonline.com/
    http://www.llouisvuitton-factory.net/
    http://www.coach-outletsusa.com/
    http://www.mksfactoryoutlet.com/
    http://www.zxcoachoutlet.com/
    http://www.mischristmas.com/
    http://www.misblackfriday.com/
    http://www.bestcustomsonline.com/
    http://www.newoutletonlinemall.com/
    http://www.clickmichaelkors.com/
    http://www.cmichaelkorsoutlet.com/
    http://www.ralphlaurenepolo.com/
    http://michaelkorsoutlet.mischristmas.com/
    http://mcmbackpack.mischristmas.com/
    http://monsterbeats.mischristmas.com/
    http://northfaceoutlet.mischristmas.com/
    http://mk.misblackfriday.com/
    http://coachoutlet.misblackfriday.com/
    http://coachfactory.misblackfriday.com/
    http://uggaustralia.misblackfriday.com/
    http://coachpurses.misblackfriday.com/
    http://coachusa.misblackfriday.com/
    http://coach.misblackfriday.com/
    http://michaelkorss.misblackfriday.com/
    http://michaelkors.misblackfriday.com/
    http://airmax.misblackfriday.com/
    http://michael-kors.misblackfriday.com/

    http://t.co/1PJuejI1ys
    http://t.co/FYm2MxWwLM
    https://twitter.com/CoachOutlet2014
    https://www.facebook.com/pages/Coach-Factory-Outlet-Online-Store-Michael-Kors-Outlet-Online-Sale-75-Off/712060898859091
    https://www.facebook.com/pages/Ralph-Lauren-Polo-Outlet-Online-Sale/1404100279810690

  19. m88 says:

    m88 :http://m88en.com/new-online-casino-deposit-bonus-codes-2015/
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.

    m88asia : http://m88en.net/m88-bet-mansion88-online-casino-online/
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.

    m88bet :
    http://www.linkm88vip.com/2014/12/m88-asia-main-home-register-online-free.html
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.

    link m88 :
    http://m88wiki.com/google-chrome-bookmarks-fastest-m88-link/
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com/register-m88-football-betting/