{"id":426,"date":"2018-04-18T12:32:35","date_gmt":"2018-04-18T11:32:35","guid":{"rendered":"http:\/\/blogs.kent.ac.uk\/unseenit\/?p=426"},"modified":"2018-04-18T12:33:00","modified_gmt":"2018-04-18T11:33:00","slug":"azure-mfa-session-login-oddness","status":"publish","type":"post","link":"https:\/\/blogs.kent.ac.uk\/unseenit\/azure-mfa-session-login-oddness\/","title":{"rendered":"Azure MFA session login oddness"},"content":{"rendered":"

We’ve been trialing the Azure MFA on-premises service for a while and have had a very annoying issue whereby some users in some browsers are able to log in to the web portal fine but, as soon as they try to do anything there, are returned to the login screen.<\/p>\n

After a lot of digging, https:\/\/blog.msresource.net\/2016\/05\/13\/azure-multi-factor-authentication-server-portal-looping-layer-8-issue\/<\/a> provided a hint to our issue. Some browsers are requesting \/favicon.ico<\/tt> and going through a redirect in IIS which means that request ends up re-requesting \/...\/Login.aspx<\/tt> which, for some reason, invalidates their real session.<\/p>\n

That blog post was using Application Request Routing which we were not so their fix wasn’t applicable to us.<\/p>\n

Instead, we were using basic IIS HTTP Redirect:<\/i><\/p>\n

\"\"<\/p>\n

Our fix was to add a URL Deny rule in Request Filtering:<\/p>\n

\"\"<\/p>\n

 <\/p>\n

This appears to have solved the issue! \ud83d\ude42<\/p>\n

 <\/p>\n

The resultant web.config now looks like:<\/p>\n

<configuration>\r\n <system.webServer>\r\n   <httpRedirect enabled=\"true\" destination=\"https:\/\/xxx.kent.ac.uk\/MultiFactorAuth\"\r\n                 exactDestination=\"true\" childOnly=\"true\" \/>\r\n   <security>\r\n     <requestFiltering>\r\n       <denyUrlSequences>\r\n         <add sequence=\"favicon.ico\" \/>\r\n       <\/denyUrlSequences>\r\n     <\/requestFiltering>\r\n   <\/security>\r\n <\/system.webServer>\r\n<\/configuration><\/pre>\n","protected":false},"excerpt":{"rendered":"
We’ve been trialing the Azure MFA on-premises service for a while and have had a very annoying issue whereby some users in some browsers are … Read more<\/a><\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[862,28951],"tags":[197208,197207,197209,155556,197210],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/426"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/comments?post=426"}],"version-history":[{"count":2,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/426\/revisions"}],"predecessor-version":[{"id":430,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/426\/revisions\/430"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/media?parent=426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/categories?post=426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/tags?post=426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}