Jump to content

SAML Infinite Loop after Windows Update


Recommended Posts

Hi Everyone,

 

We've been made aware that two recent Windows Updates (KB4530689 on Windows Server 2016 and KB4533013 on Windows Server 2019), have caused an infinite authentication loop with SAML authentication - with any SAML provider.  **EDIT we also think KB4533011 is the patch on Server 2012R2, but have not tested this at this point in time**)

We believe we've identified the change in behavior these Windows Updates have caused, and are currently working on a fix.

 

In the interim, the two possible workarounds are:

 

We have now released Build 8844 which resolves this issue. Please use one of the following suggested upgrade methods outlined in the following document - https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf

Regards

Click Studios

 

Link to post
Share on other sites
  • 3 weeks later...

Would it be possible for the developers to provide any details how they resolved the issue? I assuming there were code changes done to warrant a new build. 

I have another application that ran into the same issue and the there wasn't any info on the microsoft site to suggest why SAML authentication are now failing. 

Link to post
Share on other sites

Hi Pongsatorn,

 

I can request this information from our lead developer and will post back here when I know more.  he is on holidays at the moment, (quietest time of the year for us), so it may take a bit of time before I can get hold of him.

 

I can confirm that there definitely were some code changes though, I just don't know what they were.

 

regards,

Support

Link to post
Share on other sites

Hello Pongsatorn,

 

What we found with this is that all sessions on IIS no longer existing when returning from the SAML provider, and they previously did - so we needed to query the database a second time and set the session variables.

So we're not exactly sure what Microsoft did to cause this, but it did kill your session in IIS - possibly killing/clearing the ASP.NET session cookies as well.

I hope this helps.

Regards

Click Studios

Link to post
Share on other sites

Not sure what Microsoft did to cause this in the Dec security update as well but the missing asp.net session cookie may be related to the upcoming changes to samesite cookie

 

https://support.microsoft.com/en-au/help/4522904/potential-disruption-to-customer-websites-in-latest-chrome

https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...