The maximum message size quota for incoming messages (262144) has been exceeded

Follow

SecureAuth IdP Version Affected:  All

 

Description: 

The Webservice Profile Provider fails to retrieve the profile for the user and the following error is logged in the debug log:

 

<EventID>52000</EventID><Timestamp>5/5/2018 10:00:00 AM</Timestamp><UserID></UserID><UserAgent></UserAgent><UserHostAddress></UserHostAddress>WebServiceProfileProvider.GetPropertyValuesBase: finding user 'bob' got exception: System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. 
--- End of inner exception stack trace --  

 

This can result in missing attributes in SAML assertions made by the realm as well as any other actions that rely on the profile.

 

Cause

A property being returned to the webservice realm is so large it makes the webservice response exceed the default limit in IIS (262144 bytes) and prevents the profile being loaded. 

This is typically the "Fingerprints"or "Push Notification Tokens" property because the maximum number for each of these can be set to infinite and tend to grow over time as the user logs in using different machines/browsers or enrols new devices.  However other properties can also grow to be too large.

 

Resolution

Review the size of the properties being returned to the Webservice realm, for "Fingerprints" this is usually the audio attribute in AD data stores, or for "Push Notification Tokens"  it's usually the jpegPhoto attribute in AD data stores.  Check all properties not just these two.
 
The properties can be checked directly on the data store or a Helpdesk realm can be used to review the number of Fingerprints or Devices associated with the user. 
 
 
Delete old/unnecessary Fingerprints or Devices as needed or if working directly on the data store then the whole attribute can be cleared.  Bear in mind that if the "Push Notification Token" is cleared then the user will have to enrol their device again to regain Push to Accept functionality.

To prevent a repeat of the problem consider configuring a limit on device/fingerprint enrolment realms:

Fingerprints (Total FP max count)

https://docs.secureauth.com/display/91docs/Device+Recognition

or 

Device Push Notification Tokens (Max Device Count)

https://docs.secureauth.com/display/91docs/Multi-Factor+Methods+Tab+Configuration

 

Ideally the procedure above should be used to reduce the size of the attribute/property but if the size of the attribute/property cannot be reduced or is required to remain so large then the maximum limit allowed can be increased by editing the web.config of the Webservice realm (that is the realm that queries a data store via Webservice). 

Please be aware that increasing the limit should be given careful consideration because other areas can start to become a restriction instead, like maximum attribute sizes in AD for instance.

If after considering the risks of hitting other limits, it's decided to proceed with increasing the limit then it's important to take a backup of the realms web.config file first before following these steps:

1. Open the System Info tab

2. Scroll to the bottom and click the link that says "Click to edit Web Config"

3. Search for the following parameter names:

WCFBindingMaxReceivedMessageSize

WCFBindingMaxBufferSize

4. Increase the size of the current value that each of them is set to, i.e. double the value. 

Both values should match.  The default size is 256KB and note that the maximum size that can be assigned to these parameters is 2,147,483,647 (2GB)

5. Save and test

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.