Event ID 678 — Federation Service Malformed Requests

Updated: December 3, 2008

Applies To: Windows Server 2008 R2

yellow

Federation Service Malformed Requests logs information about incorrectly configured or missing data values that reside in the trust policy, along with information about client cookie issues and sign-on issues.

Event Details

Product: Windows Operating System
ID: 678
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: InfiniteLoopDetected
Message: The Federation Service rejected a token request because it appeared to duplicate a successful request that was granted to the same client browser session within the last %2 seconds.
Target: %1
Duplication period (seconds): %2

This failure generally indicates that the target is not receiving cookies that it writes. If this condition is caused by a server-side configuration error, it may indicate that all requests to the target are failing.

User Action
Ensure that the client browser is configured to accept cookies from the target site.

Ensure that the cookie path and cookie domain are correctly configured at the target Federation Service or web agent.
%Ensure that the return URL that is specified in the Web Agent matches the application URL that is specified in the Federation Service.

Resolve

Examine the cookie settings in the client browser and in the web.config file

Ensure that the client browser is configured to accept cookies from the target site.

Ensure that the cookie path and cookie domain are configured correctly for the Web application on the Web server.

If the Web application is a claims-aware application, the cookie path and cookie domain are specified in web.config file for the application.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check that the claims-aware application is configured with correct cookie values:

  1. On the Web server, locate the web.config file that is used by your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
  2. Check to make sure that the CookiePath and CookieDomain tags have valid values.

If the Web application is a Windows NT token-based application, the cookie path and cookie domain are specified in the AD FS Windows Token-Based Agent dialog box for the application's virtual directory in Internet Information Services (IIS).

To check that the Windows token-based agent is configured with correct cookie values:

  1. On the Web server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click YourComputerName(local computer).
  3. In the console tree, double-click Sites, and then click YourWebSiteName.
  4. In the center pane, double-click Authentication, highlight AD FS Windows Token-Based Agent, and then in the Actions pane click Edit.
  5. In the AD FS Windows Token-Based Agent dialog box, confirm that the Enable AD FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK.
    • Cookie path
    • Cookie domain

The cookie path should match exactly the virtual directory of the application in IIS. The path name is case sensitive.

For more information about cookies, see Cookies used by ADFS (http://go.microsoft.com/fwlink/?LinkId=64775).

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Related Management Information

Federation Service Malformed Requests

Active Directory Federation Services

Community Additions

ADD
Show: