Event ID - 678

Event Id678
SourceMicrosoft-Windows-ADFS
DescriptionThe Federation Service rejected a token request because it appeared to duplicate a successful request that was granted to the same client browser session within the last %2 seconds. Target: %1 Duplication period (seconds): %2 This failure generally indicates that the target is not receiving cookies that it writes. If this condition is caused by a server-side configuration error, it may indicate that all requests to the target are failing. User Action Ensure that the client browser is configured to accept cookies from the target site. Ensure that the cookie path and cookie domain are correctly configured at the target Federation Service or web agent. %Ensure that the return URL that is specified in the Web Agent matches the application URL that is specified in the Federation Service.
Event InformationAccording to Microsoft :

Cause :

This event is logged when the Federation Service rejected a token request because it appeared to duplicate a successful request that was granted to the same client browser session within the last seconds.

Resolution :

Examine the cookie settings in the client browser and in the web.config file

Ensure that the client browser is configured to accept cookies from the target site.

Ensure that the cookie path and cookie domain are configured correctly for the Web application on the Web server.

If the Web application is a claims-aware application, the cookie path and cookie domain are specified in web.config file for the application.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check that the claims-aware application is configured with correct cookie values:
  1. On the Web server, locate the web.config file that is used by your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
  2. Check to make sure that the CookiePath and CookieDomain tags have valid values.
If the Web application is a Windows NT token-based application, the cookie path and cookie domain are specified in the AD FS Windows Token-Based Agent dialog box for the application's virtual directory in Internet Information Services (IIS).

To check that the Windows token-based agent is configured with correct cookie values:
  1. On the Web server, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .
  2. In the console tree, click YourComputerName (local computer) .
  3. In the console tree, double-click Sites , and then click YourWebSiteName.
  4. In the center pane, double-click Authentication , highlight AD FS Windows Token-Based Agent , and then in the Actions pane click Edit .
  5. In the ADÂ FS Windows Token-Based Agent dialog box, confirm that the Enable ADÂ FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK .
  • Cookie path
  • Cookie domain
The cookie path should match exactly the virtual directory of the application in IIS. The path name is case sensitive.

Verify :

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.
Reference LinksEvent ID 678 from Source Microsoft-Windows-ADFS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh