Cookies – IE – ADFS – MSIS7001

Recently we had some strange issues with an ADFS login. Everything worked, but it didn’t. On some sites we got the following error:

“MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request”

One of my colleagues pointed out that all sites with the error contained the underscore (“_”) character, so we started digging into this and found out indeed IE has some issues with the underscore chars in the URL. More accurately the way IE is designed, makes it incapable of creating cookies, if the URL contains an underscore in the domain name.
We found this QandA on Internet Explorer and cookies:

Snowballing further from that link leads to the following KB:

“Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters (“-” or “.”) in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character (“_”).
Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client.
This issue can also be caused by an incorrect name syntax in a host header.”

Basically the above security patch is implemented as part of Internet Explorer and the way it handles domain names and cookies.
So far this has been tested on the following versions of of Internet Explorer; IE8, IE9, IE10 and IE11.
This is not a problem for Chrome or Firefox – I have not tested with other browsers or versions.