ADFS Timeouts – Keep Above 10 Minutes When Testing

Active Directory Federation Services Owner todaySeptember 10, 2018 53

share close

I ran into this issue very recently when helping with an ADFS environment setup that was using a federation proxy to an internal federation service farm. The timeout desire was to be 15 minutes, after a user would have to re-authenticate to the ADFS box. To expedite the testing, we were attempting to set short intervals of timeouts, 1-2 minutes…up to 5, however nothing was timing out fumbling the proof of concept. Over around 8 minutes was timing out though. Furthermore, there was never a concrete timeout; there was always some level of skew.

This behavior seemed erratic. The problem is ADFS has a Cache Scavenge interval, which is the process for purging out-of-date cache records from the client cache. If your timeouts are configured in a pretty orthodox way, for example a ten minute timeout:

On the SharePoint box:

$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)

And on the ADFS box:

Set-ADFSRelyingPartyTrust -TargetName Relying Party Common Name -TokenLifeTime 10

But you have your TokenLifeTime set to a ridiculously low value (it always has to be above the LoginTokenCacheExpirationWindow btw) such as two, resulting in a difference of a one minute timeout; the Cache Scavenge will never fire. Thus the issued ticket will be considered valid.

Take away is always just test with something like 10 minutes and deal with the wait time for verification.

Written by: Owner

Tagged as: .

Rate it

Previous post