Azure MFA session login oddness

We’ve been trialing the Azure MFA on-premises service for a while and have had a very annoying issue whereby some users in some browsers are able to log in to the web portal fine but, as soon as they try to do anything there, are returned to the login screen.

After a lot of digging, https://blog.msresource.net/2016/05/13/azure-multi-factor-authentication-server-portal-looping-layer-8-issue/ provided a hint to our issue. Some browsers are requesting /favicon.ico and going through a redirect in IIS which means that request ends up re-requesting /.../Login.aspx which, for some reason, invalidates their real session.

That blog post was using Application Request Routing which we were not so their fix wasn’t applicable to us.

Instead, we were using basic IIS HTTP Redirect:

Our fix was to add a URL Deny rule in Request Filtering:

 

This appears to have solved the issue! 🙂

 

The resultant web.config now looks like:

<configuration>
 <system.webServer>
   <httpRedirect enabled="true" destination="https://xxx.kent.ac.uk/MultiFactorAuth"
                 exactDestination="true" childOnly="true" />
   <security>
     <requestFiltering>
       <denyUrlSequences>
         <add sequence="favicon.ico" />
       </denyUrlSequences>
     </requestFiltering>
   </security>
 </system.webServer>
</configuration>

One response to “Azure MFA session login oddness

Leave a Reply