ComponentSpace

Forums



Windows Server 2016 IIS 10 - Replay Attack Error


Windows Server 2016 IIS 10 - Replay Attack Error

Author
Message
nbremmer
nbremmer
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Awaiting Activation
Posts: 7, Visits: 47
We run a Service Provider SSO for a client who is the Identity Provider. We recently upgraded our webserver from Windows Server 2008 R2 with IIS 7.5 to Windows Server 2016 with IIS 10 we started to see the error "The SAML assertion is being replayed". As a result, I attempted to replicate this by using the MvcExampleIdentityProvider application supplied with the software and I am seeing the same error. I was wondering if anyone has any thoughts on what could be causing this issue. I have verified through Fiddler that I (as the Identity Provider) am sending only a single assertion, but the IIS logs and the SAML Trace Logs indicate that the website is receiving multiple sometimes up to 5 duplicate assertions. I've attached both our IIS logs and the SAML Trace log. What's really strange is apart form upgrading the server and IIS no changes were made to the website or SAML configuration itself. I am of the opinion that there is something in IIS that is configured wrong but I'm not sure what that would be. 
Any help would be appreciated. 
-Nathan
Attachments
SAML_Trace_200302.log (1 view, 147.00 KB)
u_ex200302_x.log (1 view, 889 bytes)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
Hi Nathan,

There shouldn't be any issues with Windows Server 2016 or IIS 10. One of our test server images has this combination.

The SAML log shows the HTTP Post of the same SAML response being received three times. Each appears to be received on a separate browser session as the ASP.NET session ID is different for each.

Do you have IIS rewrite rules configured? Could these possibly be causing the duplication?

Let me know what you find. Thanks.

Regards
ComponentSpace Development
nbremmer
nbremmer
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Awaiting Activation
Posts: 7, Visits: 47
ComponentSpace - 3/2/2020
Hi Nathan,

There shouldn't be any issues with Windows Server 2016 or IIS 10. One of our test server images has this combination.

The SAML log shows the HTTP Post of the same SAML response being received three times. Each appears to be received on a separate browser session as the ASP.NET session ID is different for each.

Do you have IIS rewrite rules configured? Could these possibly be causing the duplication?

Let me know what you find. Thanks.

Thank you, I will look into the IIS Rewrite rules and see what we have. It's interesting that the response is being received from different browser sessions.
-Nathan 
nbremmer
nbremmer
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Awaiting Activation
Posts: 7, Visits: 47
nbremmer - 3/3/2020
ComponentSpace - 3/2/2020
Hi Nathan,

There shouldn't be any issues with Windows Server 2016 or IIS 10. One of our test server images has this combination.

The SAML log shows the HTTP Post of the same SAML response being received three times. Each appears to be received on a separate browser session as the ASP.NET session ID is different for each.

Do you have IIS rewrite rules configured? Could these possibly be causing the duplication?

Let me know what you find. Thanks.

Thank you, I will look into the IIS Rewrite rules and see what we have. It's interesting that the response is being received from different browser sessions.
-Nathan 
It does look like we are using URL Rewrite rules to enforce https by redirecting http traffic to https. I'm unsure if that could be the problem as we had that enabled on our 2008 r2 box as well. but I will look into it.
-Nathan
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
Let me know what you find. Thanks.

Regards
ComponentSpace Development
nbremmer
nbremmer
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Awaiting Activation
Posts: 7, Visits: 47
ComponentSpace - 3/3/2020
Let me know what you find. Thanks.

I can verify that the IIS Rewrite is not causing this problem. We utilize the rewrite function in our 2008 r2 setup, but I've also disabled that functionality to test on the 2016 server with no luck.

I am being asked to verify that we are using the latest version of the ComponentSpace.SAML2.dll, we are currently using version 2.8.8.0. Can you verify that this is the latest version of if there is a newer version we can update to. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
The latest version is 4.1.0.

You'll find the release notes at:

https://www.componentspace.com/Forums/8576/Release-Notes

Please contact [email protected] for upgrade options.

Regards
ComponentSpace Development
nbremmer
nbremmer
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Awaiting Activation
Posts: 7, Visits: 47
ComponentSpace - 3/5/2020
The latest version is 4.1.0.

You'll find the release notes at:

https://www.componentspace.com/Forums/8576/Release-Notes

Please contact [email protected] for upgrade options.

Sorry, it's been a bit, but we think we've narrowed down where the problem is. We have our site set up to require SSL and the Client Certificates set to Accept, as it's part of our site's authentication methods. We've noticed that when we set the Client Certificates to Ignore we no longer get the replay attack. I'm wondering if you have any thoughts on why this might be. 
Thank you,
Nathan 


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
Hi Nathan,

Thanks for the update. It's good to hear you've narrowed down the cause. We haven't heard of any issues related to client certificate authentication.

I tested this here using IIS 10 with Require SSL checked and Accept client certificates selected. The browser prompted me to select a client certificate and, once I did that, SSO and SLO worked as expected without any errors.

Have you tried this on a different server?

Please keep us posted.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search