Directory Programming .NET

Active Directory and ADAM programming support for .NET developers
Welcome to Directory Programming .NET Sign in | Join | Help
in Search
Home Forums Files Roller
Directory Programming .NET » General Discussions » ADFS Discussions » FAILURE - Could not transform wctx into guid.

FAILURE - Could not transform wctx into guid.

Last post 03-02-2010, 2:57 AM by PBrusten. 3 replies.
Sort Posts: Previous Next

  •  01-08-2010, 9:38 AM 7703

    FAILURE - Could not transform wctx into guid.

    Reply Quote
    Hello,

    We're seeing some weird ADFS logs since we've applied KB971726 (http://support.microsoft.com/kb/971726) on a server running an ADFS webagent.
    The ADFS web agent is running on a CAS server where we've enabled ADFS NT-token based authentication.

    The KB update was also installed on the Federation server (fs.aai.kuleuven.be).

    In the event viewer we see the following error:

    ###################################
    Event Type: Warning
    Event Source: ADFS ISAPI Extension
    Event Category: None
    Event ID: 103
    Date: 8/01/2010
    Time: 14:35:58
    User: N/A
    Computer: ICTS-S-CAS-N8
    Description:
    The ADFS Web Agent for Windows NT token-based applications encountered a serious error. The client was successfully authenticated using the token from the Federation Service, but the Web agent was not able to redirect the client back to the application page that was originally requested.

    User Action
    If this error persists, enable the ADFS troubleshooting log.
    ###################################


    The ADFS troubleshooting log gave us more details:

    ###################################
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 HttpExtensionProc : ENTER
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCustomHeader: returning TRUE. Found custom header: TRUE
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 IsClientFormsCapable: User agent is Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 IsClientFormsCapable: Found browser user agent -- forms capable.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetServerPort: returning 0.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCanonicalizedUrl: returning TRUE.
    .6316.6368> WsExt-Trace: jan 08 10 13:35:58 IsClientAnOfficeApp: Url has not been munged.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 IsClientAnOfficeApp: returning TRUE. UseTTP = FALSE
    .6316.6368> WsExt-Trace: jan 08 10 13:35:58 CheckForAuthData : ENTER
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 CheckForAuthData : POST Request Method - 5110
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 CheckContentType: Content Type = application/x-www-form-urlencoded.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 CheckContentType: returning 0. fIsUrlEncoded = TRUE.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 CheckForAuthData : POST - received SignInResponse
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 UrlDecode: returning TRUE.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 UrlDecode: returning TRUE.
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCookieInfo: Enter
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCookieInfo: Cookie md value - (/owa)
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCookieInfo: Enter
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 GetCookieInfo: Cookie md value - (owa.student.kuleuven.be)
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 WebSSOExtensionProc : Auth token was authenticated - will now redirect to final URL with cookie
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 Redirecting to original Url
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 Final Url : https://owa.student.kuleuven.be/owa/
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 Cookie Path : /owa
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 Cookie Domain : owa.student.kuleuven.be
    6316.6368> WsExt-Error: jan 08 10 13:35:58 LoadWctxCookie : FAILURE - Could not transform wctx into guid.
    6316.6368> WsExt-Error: jan 08 10 13:35:58 RedirectToOriginalURLWithCookie : Failed loading final URL for context https://owa.student.kuleuven.be/owa/.
    6316.6368> WsExt-Error: jan 08 10 13:35:58 WebSSOExtensionProc : FAILURE RedirectToOriginalURLWithCookie failed
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 ExtReportEvent: g_dwEventLogLevel - 7
    6316.6368> WsExt-Trace: jan 08 10 13:35:58 ExtReportEvent: ReportEvent - 2 - 103
    ###################################


    So apparently there is an issue with the WCTX cookie: "LoadWctxCookie : FAILURE - Could not transform wctx into guid.". Eventually the user gets redirected to OWA, but these errors still persist. So I really don't know what's causing this problem.

    Next, I will provide a relevant HTTP trace of a login attempt:

    ####START HTTP TRACE####

    https://owa.student.kuleuven.be/owa/

    GET /owa/ HTTP/1.1
    Host: owa.student.kuleuven.be

    HTTP/1.x 302 Object moved
    Location: https://fs.aai.kuleuven.be/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fowa.student.kuleuven.be%2Fowa%2F&wct=2010%2d01%2d08T14%3a46%3a22Z&wctx=28512731-1e44-4624-bc59-f84ea23c3d06
    Set-Cookie: _AdfsWctx28512731-1e44-4624-bc59-f84ea23c3d06=https%3A%2F%2Fowa.student.kuleuven.be%2Fowa%2F; Path=/owa; Domain=owa.student.kuleuven.be; Secure; HttpOnly
    ----------------------------------------------------------
    https://fs.aai.kuleuven.be/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fowa.student.kuleuven.be%2Fowa%2F&wct=2010%2d01%2d08T14%3a46%3a22Z&wctx=28512731-1e44-4624-bc59-f84ea23c3d06

    GET /adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fowa.student.kuleuven.be%2Fowa%2F&wct=2010%2d01%2d08T14%3a46%3a22Z&wctx=28512731-1e44-4624-bc59-f84ea23c3d06 HTTP/1.1
    Host: fs.aai.kuleuven.be

    HTTP/1.x 302 Found
    Location: https://idp.kuleuven.be/shibboleth-idp-1.3.3/ADFS?wa=wsignin1.0&wtrealm=urn%3amace%3akuleuven.be%3akulassoc%3akuleuven.be%3aadfs%3aluna&wct=2010-01-08T14%3a46%3a22Z&wctx=930fe2db-f222-46a2-ab07-ac5b49816957
    Set-Cookie: _AdfsWctx930fe2db-f222-46a2-ab07-ac5b49816957=https://owa.student.kuleuven.be/owa/\28512731-1e44-4624-bc59-f84ea23c3d06; path=/adfs/ls/; secure; HttpOnly
    ----------------------------------------------------------
    Shibboleth login: out of scope for this problem
    ----------------------------------------------------------
    https://fs.aai.kuleuven.be/adfs/ls/clientlogon.aspx

    POST /adfs/ls/clientlogon.aspx HTTP/1.1
    Host: fs.aai.kuleuven.be
    Cookie: _AdfsWctx930fe2db-f222-46a2-ab07-ac5b49816957=https://owa.student.kuleuven.be/owa/\28512731-1e44-4624-bc59-f84ea23c3d06
    Content-Length: 7560
    wa=wsignin1.0&
    wctx=930fe2db-f222-46a2-ab07-ac5b49816957&
    wresult=%3CRequestSecurityTokenResponse+[...] RequestSecurityTokenResponse%3E

    HTTP/1.x 200 OK
    Set-Cookie: _AdfsWctx930fe2db-f222-46a2-ab07-ac5b49816957=; expires=Thu, 07-Jan-2010 14:46:28 GMT; path=/adfs/ls/
    Set-Cookie: _WebSsoAuth=eNqdV2t[....]; path=/adfs/ls/; secure; HttpOnly
    Set-Cookie: _WebSsoAuth0=HNxvFK[....]; path=/adfs/ls/; secure; HttpOnly
    Set-Cookie: _LSCleanup=2010-01-08:14:46:28Zahttps://owa.student.kuleuven.be/owa/; path=/adfs/ls/; secure; HttpOnly

    ----------------------------------------------------------
    https://owa.student.kuleuven.be/owa/

    POST /owa/ HTTP/1.1
    Host: owa.student.kuleuven.be
    Cookie: _AdfsWctx28512731-1e44-4624-bc59-f84ea23c3d06=https%3A%2F%2Fowa.student.kuleuven.be%2Fowa%2F
    Content-Length: 5100
    wa=wsignin1.0&
    wresult=%3Cwst%3ARequestSecurityTokenResponse[....]RequestSecurityTokenResponse%3E&
    wctx=28512731-1e44-4624-bc59-f84ea23c3d06

    HTTP/1.x 302 Object moved
    Connection: Keep-Alive
    Content-Length: 0
    Date: Fri, 08 Jan 2010 14:46:28 GMT
    Location: https://owa.student.kuleuven.be/owa/
    Content-Type: text/html
    Server: Microsoft-IIS/6.0
    X-CASNode: 6
    X-Powered-By: ASP.NET
    Set-Cookie: _WebSsoAuth=eNqdV[....]; Path=/owa; Domain=owa.student.kuleuven.be; Secure; HttpOnly
    Set-Cookie: _WebSsoAuth0=DxvFq[....]; Path=/owa; Domain=owa.student.kuleuven.be; Secure; HttpOnly
    Set-Cookie: _AdfsWctx28512731-1e44-4624-bc59-f84ea23c3d06=; Expires=TUE,05-AUG-2003 22:00:00 GMT; Path=/owa; Domain=owa.student.kuleuven.be;
    ----------------------------------------------------------
    https://owa.student.kuleuven.be/owa/

    GET /owa/ HTTP/1.1
    Host: owa.student.kuleuven.be
    Referer: https://fs.aai.kuleuven.be/adfs/ls/clientlogon.aspx
    Cookie: _WebSsoAuth=eNqdV[....]

    HTTP/1.x 200 OK
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    X-OWA-Version: 8.2.217.2
    Set-Cookie: UserContext=d09293ec6[....]; path=/

    ####STOP HTTP TRACE####


    Any help or pointers would be appreciated!

    Kind regards,

    Philip

  •  01-08-2010, 1:15 PM 7705 in reply to 7703

    Re: FAILURE - Could not transform wctx into guid.

    Reply Quote

    Report bug to MS immediately. This is the second time I've seen a problem with this patch causing unintended failures. The other case was with a machine running the Korean version of Windows Server where for some reason the GUID value was being translated into Korean unicode characters. Really weird.

    If it is broken, the only thing I can suggest as a remedy for now is to roll back the patch.

    I'll be very curious to see where all these threads lead. I'm sure there is a simple logic flaw in the agent or fed server code somewhere that causes this.

  •  03-02-2010, 1:35 AM 7900 in reply to 7703

    Re: FAILURE - Could not transform wctx into guid.

    Reply Quote
    Hey PBrusten, were you able to solve this problem? Encountered something similar when I used KB971726 too.
    hot tubs
    ventrillo server

  •  03-02-2010, 2:57 AM 7902 in reply to 7900

    Re: FAILURE - Could not transform wctx into guid.

    Reply Quote
    No unfortunately not. We're still seeing these event, but we haven't opened a support ticket with Microsoft yet.
    Our users, however, aren't experiencing any trouble, as far as we know.
View as RSS news feed in XML
© Dunn & Kaplan, 2008