After migrating a Project Server (or any other SharePoint web app) to a new SharePoint 2010 farm using ADFS for federated authentication and multi-tenancy you receive the below error message when trying to access some of the migrated site collections. In my case the root site worked but /PWA failed.
Also if you reprovision a new site collection (include a PWA) in the same web application it also works fine.
Error message from ADFS
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: [GUID]
Event log on ADFS server
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 5/11/2012 10:00:43 PM
Event ID: 364
Task Category: None
Keywords: AD FS
Encountered error during federation passive request.
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made ‘6’ requests in the last ‘5’ seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication. UpdateLoopDetectionCookie()
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication. SendSignInResponse(MSISSignInResponse response)
What’s happening is that while authentication works as expected on some sites, when you open a particular site collection the authentication goes into a loop, eventually failing when the ADFS server detects this redirect loop.
After a fair amount of digging the problem turned out to be in the multi-tenancy configuration of this particular farm. Specifically the site collections for some reason did not all have a subscription.
Using the PowerShell command ‘Get-SPSite https://site/sitecollection1’ against two site collections to compare the settings turned up the key difference:
This makes sense as to why the authentication is failing; the different site subscription overrides the FedAuth authentication cookie assigned by ADFS as soon as it is assigned, causing the page to redirect back to re-authenticate.
Fortunately once the above was found the fix is simple, run the following command in PowerShell:
Get-SPSite | Set-SPSite
–SiteSubscription [Guide of site subscription]
Now after a quick IISRESET all should be working!
Spam is awesome! :)
What i don’t understood is in fact how you are not really a lot more neatly-preferred than you might be right now. You are so intelligent. You recognize therefore significantly in the case of this subject, made me personally imagine it from a lot of numerous angles. Its like women and men aren’t interested until it’s one thing to accomplish with Girl gaga! Your own stuffs outstanding. All the time handle it up!
With havin so much content and articles do you ever run into
any issues of plagorism or copyright infringement? My website has a lot of exclusive content
I’ve either authored myself or outsourced but it appears a lot of it is popping it up all over the web without my permission. Do you know any ways to help prevent content from being ripped off? I’d definitely
Hello there! Would you mind if I share your blog with
my myspace group? There’s a lot of folks that I think would really appreciate your content. Please let me know. Thanks
It’s really a great and helpful piece of information. I am happy that you simply shared this helpful information with us. Please stay us up to date like this. Thanks for sharing.
Good day! This is my 1st comment here so I just wanted to give a
quick shout out and tell you I truly enjoy reading through your blog posts.
Can you suggest any other blogs/websites/forums that deal with the same subjects?
I want to to thank you for this excellent
read!! I certainly enjoyed every bit of it. I have you saved as a
favorite to check out new stuff you post…