Saturday, May 18, 2013

AD FS 2.0 federation server sessions are valid up to 8 hours even for invalid users MS CRM 2011 CBA

By default, Active Directory Federation Services (AD FS) 2.0 server tokens allocate a Web single sign-on (SSO) cookie expiration of eight (8) hours. Therefore, even when a user is deactivated or deleted from an authentication provider, such as AD FS 2.0, as long as the user session is still active the user can continue to be authenticated to secure resources.
to change the value to any minumum of 1 hr or max to 24 hrs, please follow the below...

The lifetime of a default security token for a claims-based authentication deployment using AD FS 2.0 is 60 minutes. By default, Microsoft Dynamics CRM Server 2011 is configured to display the Authentication is Required dialog box 20 minutes before the token expires.

In the Authentication is Required dialog box, if you click Cancel, the token expires as indicated. When the security token expires, you will need to start a new browser session to Microsoft Dynamics CRM to access your data. Any unsaved changes will be lost.

In the Authentication is Required dialog box, if you click Sign In, the Sign-Out page appears. When you close the Sign-Out page, one of the following occurs:

           If you have not deployed an Internet-facing deployment (IFD), you will automatically re-authenticate with domain credentials and a new security token will be issued.

           If you have an IFD deployment, you will be required to re-authenticate by entering your credentials on the login page.

By using Windows PowerShell, you can change the TokenLifetime property for the relying party objects that you created from 60 minutes to a longer period, such as 480 minutes (8 hours):

1.         Open a Windows PowerShell prompt.

2.         Add the AD FS 2.0 snap-in to the Windows PowerShell session:

PS > Add-PSSnapin Microsoft.Adfs.PowerShell

3.         Configure the relying party token lifetime:

PS > Get-ADFSRelyingPartyTrust -Name "relying_party"

PS > Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480
o          relying_party is the name of the relying party that you created.
o          480  is the time in minutes.

hope this helps...


No comments:

Post a Comment