The maximum message size quota for incoming messages (262144) has been exceeded

Follow

SecureAuth IdP Version Affected:  All

 

Description: 

The Webservice Profile Provider fails to retrieve the profile for the user and the following error is logged in the debug log:

 

<EventID>52000</EventID><Timestamp>5/5/2018 10:00:00 AM</Timestamp><UserID></UserID><UserAgent></UserAgent><UserHostAddress></UserHostAddress>WebServiceProfileProvider.GetPropertyValuesBase: finding user 'bob' got exception: System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. 
--- End of inner exception stack trace --  

 

This can result in missing attributes in SAML assertions made by the realm as well as any other actions that rely on the profile.

 

Cause

A property being returned to the webservice realm is so large it makes the webservice response exceed the default limit in IIS (262144 bytes) and prevents the profile being loaded. 

This is typically the "Fingerprints"or "Push Notification Tokens" property because the maximum number for each of these can be set to infinite and tend to grow over time as the user logs in using different machines/browsers or enrols new devices.  However other properties can also grow to be too large.

 

Resolution

Review the size of the properties being returned to the Webservice realm, for "Fingerprints" this is usually the audio attribute in AD data stores, or for "Push Notification Tokens"  it's usually the jpegPhoto attribute in AD data stores.  Check all properties not just these two.
 
The properties can be checked directly on the data store or a Helpdesk realm can be used to review the number of Fingerprints or Devices associated with the user. 
 
 
Delete old/unnecessary Fingerprints or Devices as needed or if working directly on the data store then the whole attribute can be cleared.  Bear in mind that if the "Push Notification Token" is cleared then the user will have to enrol their device again to regain Push to Accept functionality.

To prevent a repeat of the problem consider configuring a limit on device/fingerprint enrolment realms:

Fingerprints (Total FP max count)

https://docs.secureauth.com/display/91docs/Device+Recognition

or 

Device Push Notification Tokens (Max Device Count)

https://docs.secureauth.com/display/91docs/Multi-Factor+Methods+Tab+Configuration

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.