Point of Departure
We are currently using Exchange 2010 with Outlook Web App (OWA) and have a single sign-on infrastructure (SSO) based on Shibboleth. In order to make OWA work with Shibboleth SSO we are using ADFS 2.0 and WIF. We are using several OWA hosts "behind" with a load balancer. – The entire setup basically works fine, we can use both OWA and the Exchange Control Panel (ECP) with SSO.
WIF generates a cookie named "FedAuth", which is about 2.5 kB in size. The cookie can be chunked, resulting in a cookie named "FedAuth" (with about 2 kB) and a cookie named "FedAuth1" with the remaining payload. Unfortunately, this cookie is too large for some old browsers (Safari, Opera) and also for our load balancer (Cisco), which can only analyse the first 2 kB.
Hence, we were searching for a way to reduce the size of the FedAuth cookie.
The Solution
There are several approaches to reducing the size of the cookie. We opted for a solution outlined in the article "Your FedAuth Cookies on a Diet: IsSessionMode=true" and set the IsSessionMode property to true in the global.asax files of both OWA and ECP:
<%@ Import Namespace="Microsoft.IdentityModel.Web" %><script runat="server">
void WSFederationAuthenticationModule_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
{
FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true;
}</script>
This approach works quite well – the size of the FedAuth cookie is reduced to 607 bytes, which is fine for both old browsers and our load balancer.
The Problem
After setting the IsSessionMode property, the SSO login only works for OWA but not for ECP. Users can log on to OWA without any issues, but when opening ECP (either using the direct URL to /ecp/ or through the "All Options" menu item), an error message is displayed, and the following error message is logged on the server:
Current user: 'User not set'
Request for URL 'http://owa.ourdomain.com/ecp/' failed with the following error:
System.IdentityModel.Tokens.SecurityTokenException: ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
If we comment out our modifications to the global.asax files, the larger FedAuth cookies are generated, and both OWA and ECP work again.
Our interpreation: When accessing ECP the contents of the larger FedAuth cookie are expected. However, ECP cannot know that this cookie even exists because it is not generated by ECP but by WIF. So the issue seems to be with WIF. However, why can WIF read the smaller cookie in one case (OWA) but not in another case (ECP)?
Do you have any ideas how we can make this work with the smaller FedAuth cookie? Any help is greatly appreciated!