Sometimes we cannot login to the console using SAML because this “Server Busy” message comes up and won’t go away. Clicking on “Retry” only produces the same result - it just keeps coming up. Not sure what we can do with the “Switch To” option.
SAML login is working fine on our Windows 2012 R2 console servers.
I can usually get around this issue by closing the Console with the Task Manager and trying it again. Often there are a few seconds between when the smart card is detected and when the Server Busy error message appears during which I can enter in the PIN. Once the PIN is entered, then things work fine without a problem.
Today, I have tried to login 10 times, but the Server Busy error keeps coming up immediately after the smart card PIN entry thing shows up. There is no way I can login to the console.
This is a big problem and should be treated seriously.
EDIT: I will test out this possible solution and report back:
Navigate to Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security and then find the policy “Always prompt for password upon connection”
If the value is “Enable” or “Not configured” please change it to “Disable”. Even if this value is set to “Not configured”
Run gpupdate /force and test again.
This came from a KB article for a 3rd party product that also deals with smart card authentication, CyberArk PSM: https://cyberark-customers.force.com/s/article/00005032
I’ve seen this before but not frequently enough to track down a root cause. It’s not a message from BigFix, but from the operating system. It will need to be treated as an OS issue. I’m not sure how much help we’ll be here, may need to try Microsoft.
It’s worth mentioning - these steps are to be used with Group Policy Editor. To launch it, run gpedit from a command prompt on a Windows server. Be aware, however, that this did not fix the problem.
The environment where I’m seeing this is running the BigFix Console on Remote Desktop Servers (licensed for more than the default of 2 users) and for security reasons, has internet access disabled. What appears to be the case from Wireshark is there is some external connections being attempted by the OS when these console logins are being initiated. One hypothesis is, Windows is normally configured to connect to a lot of things for basic tasks, and because these have no internet access for security reasons, something is breaking how ADFS works here. Examples of external connections would be certificate revocation lookups and Windows SmartScreen.
Another instance where this problem arose also suggests external connections are being made. See this screenshot of settings that supposedly fixed this for another 3rd-party product:
Let me be clear, this also did not fix it for us. For informational purposes, you can read more about this instance of the problem here: Support : Support Portal
Anyways, I’m starting to lean towards the hypothesis that the problem is a Windows configuration that depends on a failing external connection. The reason why is the problem does not occur on the BigFix root servers in these secure environments. Unlike the RD servers that most console operators log in to for running their console session, the root servers do have internet access for gathers/downloads. Whatever the external connections are being made by the Windows OS when using ADFS, they are succeeding instead of failing on these specific servers, and that’s part of why I believe they don’t have this Server Busy error message.
Considering that this issue was not observed on the Windows Server 2012 R2 console servers, which also are restricted from internet access, it’s possible that the functionality depending on internet access here is unique to Windows Server 2016. We also need to rule out that it’s simply an OS-level configuration difference between the Windows Server 2012 R2 and Windows Server 2016 deployments here.
We would like to narrow down what the specific Windows configurations involved here are so that RD servers used for Console access can have internet access removed for secure operation.
Is this only coming up when using Smart Card logins?
I don’t recall the exact details, but the Windows system is going to need to be able to look up certificate revocation for the smart card itself before it can be accepted. You may need to enable the URLs for certificate revocation for your smartcards (which may be your internal CA or an Active Directory lookup)
We had this occur in our environment before with SAML configured to utilize IWA:
_WebUIAppEnv_SAML_AUTHNCONTEXT=urn:federation:authentication:windows
Turns out within the Personal Certificate store for the Service Account our BigFix Root Server service ran under had some smart card certificates propagate to the store. Removing these certificates from the Personal Certificate store for the Service Account that ran our BigFix Root Server service fixed this for us. May or may not be the case here but worth a shot.
May want to disable automatic smart card certificate propagation on your servers also just in case.
We had the same issue after enabling SAML but fixed it by disabling IE hardening on the endpoint running the console.
