support Posted December 12, 2019 Share Posted December 12, 2019 Hi Everyone, We've been made aware that two recent Windows Updates (KB4530689 on Windows Server 2016 and KB4533013 on Windows Server 2019), have caused an infinite authentication loop with SAML authentication - with any SAML provider. **EDIT we also think KB4533011 is the patch on Server 2012R2, but have not tested this at this point in time**) We believe we've identified the change in behavior these Windows Updates have caused, and are currently working on a fix. In the interim, the two possible workarounds are: Uninstall these Windows Update and reboot your web server Login with your Emergency Access login account, by appending /emergency to your URL, and choose another authentication option. If you cannot remember your emergency access password, please follow this article and log a support call with us https://www.clickstudios.com.au/community/index.php?/topic/1887-recover-emergency-access-password/ We have now released Build 8844 which resolves this issue. Please use one of the following suggested upgrade methods outlined in the following document - https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf Regards Click Studios Link to comment Share on other sites More sharing options...
pongsatorn Posted January 6, 2020 Share Posted January 6, 2020 Would it be possible for the developers to provide any details how they resolved the issue? I assuming there were code changes done to warrant a new build. I have another application that ran into the same issue and the there wasn't any info on the microsoft site to suggest why SAML authentication are now failing. Link to comment Share on other sites More sharing options...
support Posted January 6, 2020 Author Share Posted January 6, 2020 Hi Pongsatorn, I can request this information from our lead developer and will post back here when I know more. he is on holidays at the moment, (quietest time of the year for us), so it may take a bit of time before I can get hold of him. I can confirm that there definitely were some code changes though, I just don't know what they were. regards, Support Link to comment Share on other sites More sharing options...
support Posted January 8, 2020 Author Share Posted January 8, 2020 Hello Pongsatorn, What we found with this is that all sessions on IIS no longer existing when returning from the SAML provider, and they previously did - so we needed to query the database a second time and set the session variables. So we're not exactly sure what Microsoft did to cause this, but it did kill your session in IIS - possibly killing/clearing the ASP.NET session cookies as well. I hope this helps. Regards Click Studios Link to comment Share on other sites More sharing options...
pongsatorn Posted January 15, 2020 Share Posted January 15, 2020 Not sure what Microsoft did to cause this in the Dec security update as well but the missing asp.net session cookie may be related to the upcoming changes to samesite cookie https://support.microsoft.com/en-au/help/4522904/potential-disruption-to-customer-websites-in-latest-chrome https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.