The maximum message size quota for incoming messages (262144) has been exceeded

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All

     

    Description: 

    The Webservice Profile Provider fails to retrieve the profile for the user and the following error is logged in the debug log:

     

    <EventID>52000</EventID><Timestamp>5/5/2018 10:00:00 AM</Timestamp><UserID></UserID><UserAgent></UserAgent><UserHostAddress></UserHostAddress>WebServiceProfileProvider.GetPropertyValuesBase: finding user 'bob' got exception: System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. 
    --- End of inner exception stack trace --  

     

    This can result in missing attributes in SAML assertions made by the realm as well as any other actions that rely on the profile.

     

    Cause

    A property being returned to the webservice realm is so large it makes the webservice response exceed the default limit in IIS (262144 bytes) and prevents the profile being loaded. 

    This is typically the "Fingerprints"or "Push Notification Tokens" property because the maximum number for each of these can be set to infinite and tend to grow over time as the user logs in using different machines/browsers or enrols new devices.  However other properties can also grow to be too large.

     

    Resolution

    Review the size of the properties being returned to the Webservice realm, for "Fingerprints" this is usually the audio attribute in AD data stores, or for "Push Notification Tokens"  it's usually the jpegPhoto attribute in AD data stores.  Check all properties not just these two.
     
    The properties can be checked directly on the data store or a Helpdesk realm can be used to review the number of Fingerprints or Devices associated with the user. 
     
     
    Delete old/unnecessary Fingerprints or Devices as needed or if working directly on the data store then the whole attribute can be cleared.  Bear in mind that if the "Push Notification Token" is cleared then the user will have to enrol their device again to regain Push to Accept functionality.

    To prevent a repeat of the problem consider configuring a limit on device/fingerprint enrolment realms:

    Fingerprints (Total FP max count)

    https://docs.secureauth.com/display/91docs/Device+Recognition

    or 

    Device Push Notification Tokens (Max Device Count)

    https://docs.secureauth.com/display/91docs/Multi-Factor+Methods+Tab+Configuration

     

    Ideally the procedure above should be used to reduce the size of the attribute/property but if the size of the attribute/property cannot be reduced or is required to remain so large then the maximum limit allowed can be increased by editing the web.config of the Webservice realm (that is the realm that queries a data store via Webservice). 

    Please be aware that increasing the limit should be given careful consideration because other areas can start to become a restriction instead, like maximum attribute sizes in AD for instance.

    If after considering the risks of hitting other limits, it's decided to proceed with increasing the limit then it's important to take a backup of the realms web.config file first before following these steps:

    1. Open the System Info tab

    2. Scroll to the bottom and click the link that says "Click to edit Web Config"

    3. Search for the following parameter names:

    WCFBindingMaxReceivedMessageSize

    WCFBindingMaxBufferSize

    4. Increase the size of the current value that each of them is set to, i.e. double the value. 

    Both values should match.  The default size is 256KB and note that the maximum size that can be assigned to these parameters is 2,147,483,647 (2GB)

    5. Save and test

     

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    1 comment
    • 9/6/2020 4:32:05 PM: Running job.
      *ERROR* 9/6/2020 4:32:05 PM: Error executing job. System.Exception: Error syncing realms. ---> System.Exception: Unable to deserialize manifest from "D:\SecureAuth\SecureAuth0\SyncManifest.xml". ---> System.InvalidOperationException: There is an error in XML document (381, 78). ---> System.Xml.XmlException: There is an unclosed literal string. Line 381, position 78.
      at System.Xml.XmlTextReaderImpl.Throw(Exception e)
      at System.Xml.XmlTextReaderImpl.ParseAttributeValueSlow(Int32 curPos, Char quoteChar, NodeData attr)
      at System.Xml.XmlTextReaderImpl.ParseAttributes()
      at System.Xml.XmlTextReaderImpl.ParseElement()
      at System.Xml.XmlTextReaderImpl.ParseElementContent()
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read2_File(Boolean isNullable, Boolean checkType)
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read3_Folder(Boolean isNullable, Boolean checkType)
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read4_Paths(Boolean isNullable, Boolean checkType)
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read5_Realm(Boolean isNullable, Boolean checkType)
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read6_Manifest(Boolean isNullable, Boolean checkType)
      at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderManifest.Read7_Manifest()
      --- End of inner exception stack trace ---
      at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
      at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
      at FileSyncService.Helpers.SlaveHelper.GetManifest(String filePath)
      --- End of inner exception stack trace ---
      at FileSyncService.Helpers.SlaveHelper.GetManifest(String filePath)
      at FileSyncService.Helpers.SlaveHelper.SyncRealms()
      at FileSyncService.FileSyncServiceAllInOne.BeginSyncSlave(IConfiguration configuration)
      --- End of inner exception stack trace ---
      at FileSyncService.FileSyncServiceAllInOne.BeginSyncSlave(IConfiguration configuration)
      at FileSyncService.FileSyncServiceAllInOne.Run()

      0
      Comment actions Permalink

    Please sign in to leave a comment.