SecureAuth IdP Version Affected: All
Description:
The Webservice Profile Provider fails to retrieve the profile for the user and the following error is logged in the debug log:
<EventID>52000</EventID><Timestamp>5/5/2018 10:00:00 AM</Timestamp><UserID></UserID><UserAgent></UserAgent><UserHostAddress></UserHostAddress>WebServiceProfileProvider.GetPropertyValuesBase: finding user 'bob' got exception: System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
--- End of inner exception stack trace --
This can result in missing attributes in SAML assertions made by the realm as well as any other actions that rely on the profile.
Cause:
A property being returned to the webservice realm is so large it makes the webservice response exceed the default limit in IIS (262144 bytes) and prevents the profile being loaded.
This is typically the "Fingerprints"or "Push Notification Tokens" property because the maximum number for each of these can be set to infinite and tend to grow over time as the user logs in using different machines/browsers or enrols new devices. However other properties can also grow to be too large.
Resolution:
To prevent a repeat of the problem consider configuring a limit on device/fingerprint enrolment realms:
Fingerprints (Total FP max count)
https://docs.secureauth.com/display/91docs/Device+Recognition
or
Device Push Notification Tokens (Max Device Count)
https://docs.secureauth.com/display/91docs/Multi-Factor+Methods+Tab+Configuration
Ideally the procedure above should be used to reduce the size of the attribute/property but if the size of the attribute/property cannot be reduced or is required to remain so large then the maximum limit allowed can be increased by editing the web.config of the Webservice realm (that is the realm that queries a data store via Webservice).
Please be aware that increasing the limit should be given careful consideration because other areas can start to become a restriction instead, like maximum attribute sizes in AD for instance.
If after considering the risks of hitting other limits, it's decided to proceed with increasing the limit then it's important to take a backup of the realms web.config file first before following these steps:
1. Open the System Info tab
2. Scroll to the bottom and click the link that says "Click to edit Web Config"
3. Search for the following parameter names:
WCFBindingMaxReceivedMessageSize
WCFBindingMaxBufferSize
4. Increase the size of the current value that each of them is set to, i.e. double the value.
Both values should match. The default size is 256KB and note that the maximum size that can be assigned to these parameters is 2,147,483,647 (2GB)
5. Save and test
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
9/6/2020 4:32:05 PM: Running job.
*ERROR* 9/6/2020 4:32:05 PM: Error executing job. System.Exception: Error syncing realms. ---> System.Exception: Unable to deserialize manifest from "D:\SecureAuth\SecureAuth0\SyncManifest.xml". ---> System.InvalidOperationException: There is an error in XML document (381, 78). ---> System.Xml.XmlException: There is an unclosed literal string. Line 381, position 78.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.ParseAttributeValueSlow(Int32 curPos, Char quoteChar, NodeData attr)
at System.Xml.XmlTextReaderImpl.ParseAttributes()
at System.Xml.XmlTextReaderImpl.ParseElement()
at System.Xml.XmlTextReaderImpl.ParseElementContent()
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read2_File(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read3_Folder(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read4_Paths(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read5_Realm(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read6_Manifest(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read7_Manifest()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
at FileSyncService.Helpers.SlaveHelper.GetManifest(String filePath)
--- End of inner exception stack trace ---
at FileSyncService.Helpers.SlaveHelper.GetManifest(String filePath)
at FileSyncService.Helpers.SlaveHelper.SyncRealms()
at FileSyncService.FileSyncServiceAllInOne.BeginSyncSlave(IConfiguration configuration)
--- End of inner exception stack trace ---
at FileSyncService.FileSyncServiceAllInOne.BeginSyncSlave(IConfiguration configuration)
at FileSyncService.FileSyncServiceAllInOne.Run()
Please sign in to leave a comment.