I’ve been knee deep in Active Directory Federation Services for the past three months now, and when helping one our clients deploy a single-sign-on (SSO) application, we ran into a nasty error:

The request has been rejected because it appears to be a duplicate of a request from this same client browser session within the last 20 seconds

Here is a quick synopsis of the problem.  ADFS works by bouncing users back and forth between federation servers and the application, and somewhere along the way you end up with a cookie containing authentication information (a SAML token to be more precise).  One of the options in the web.config is the path to the cookie, which is found in

<configuration>
     <web.config>
          …
          <websso>
               …
               <cookies writecookies=”true”>
                    …
                    <path>/CookiePath</path>
               </cookies>
          </websso>
     </web.config>
</configuration>

During the deployment, we placed the application in a directory that did not match the cookie path.  So, the user was going to the application, the application then sent the user to the federation server for authentication, the federation server issued the cookie, redirected the user back to the application, the cookie was not being sent when the user hit the application a second time, so the application sent the user back to the federation server for authentication, and the federation server doesn’t like it when you try to login twice within 20 seconds.  So the moral of the story is to make sure you setup your cookie path correctly or you get weird ADFS errors.