3

We have our token to expire after 10 hours, but every 4-5 minutes SharePoint goes out and re-authenticates against the token. Browser activity doesn't matter. How do we keep SharePoint from re-authenticating against the token? I feel like this has something to do with the FedAuth cookie, but not sure.

Improve this question
5
  • check from AD server what is Web SSO Lifetime value, can you run this Get-ADFSProperties on AD server? also on sharepoint server run this Get-SPSecurityTokenServiceConfig and share the output... Commented Oct 23, 2014 at 19:50
  • Which variables do you want to see? Commented Oct 23, 2014 at 20:53
  • web lifetoken from adfs and logontokencache Commented Oct 23, 2014 at 20:57
  • Okay. I won't be able to get those until probably Monday. Am I wrong in thinking that its probably a SharePoint setting issues since other apps use that same token and they don't have timeout issues? Commented Oct 23, 2014 at 22:04
  • screenshot of get-spsecuritytokenserviceconfig Commented Oct 24, 2014 at 1:23

4 Answers 4

Reset to default
1

Enable STS Session Cookie

$sts = Get-SPSecurityTokenServiceConfig $sts.UseSessionCookies = $true $sts.Update()

LogonTokenCacheExpirationWindow for the SharePoint STS is 10 minutes. The relying party by default it sets the token lifetime in ADFS to be 2 minutes.

LogonTokenCacheExpirationWindow in SharePoint

$sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1) $sts.Update()

Then do an IISRESET

Improve this answer
5
  • What does enabling the STS session cookie do? Currently it is disabled. Commented Oct 23, 2014 at 18:59
  • I was giving you hints which you can try. msdn.microsoft.com/en-us/library/office/… Commented Oct 23, 2014 at 19:02
  • I don't want to use session cookies because it breaks office integration. Commented Oct 23, 2014 at 20:53
  • Then you can change the LogonTokenCacheExpirationWindow Commented Oct 23, 2014 at 21:00
  • This is already set to 10 minutes but its timing out way before that Commented Oct 23, 2014 at 22:05
1

Set the ADFS value to high number like 10 hrs and set the sharepoint token expiration cache to lower value 20min(not 10 hrs) .

ADFS Sliding Expiration

SharePoint 2013 ADFS login local token cache always expired

Improve this answer
4
  • The windowstokenlifetime is set to 10 hours and the LogonTokenCacheExpirationWindow is set to 10 minutes Commented Oct 24, 2014 at 1:11
  • screenshot of get-spsecuritytokenserviceconfig Commented Oct 24, 2014 at 1:26
  • The adfs value should be less . u have to do it on adfs server Commented Oct 24, 2014 at 3:27
  • OK, which value is the adfs value? Commented Oct 24, 2014 at 10:35
1

Don't know how helpful it will be, but we were also suffering from the same issue. Turns out it had nothing to do with the cache or token at all, but instead had to do with how many users could be cached per web front end. The default for SP 2013 is only 250 users, so as soon as user 251 logs in, it invalidates the cache for user 1. Then user 252 invalidates 2 and so on. In any decent sized organization this can lead to a round-robin of invalidation. We fixed with the following PowerShell script.

$maxTokens = 5000 $sts = Get-SPSecurityTokenServiceConfig $sts.MaxServiceTokenCacheItems = $maxTokens $sts.MaxLogonTokenCacheItems = $maxTokens $sts.Update() iisreset
Improve this answer
0

Have you seen this?

https://social.technet.microsoft.com/Forums/en-US/954bf5e8-0a32-485d-97e0-7b842e315edc/fedauth-cookie-expiration-adfs-in-sharepoint-2010?forum=sharepointadminprevious

SharePoint calculates the expiration of the cookie with the following formula:

SAML Token Lifetime – Logon Token Cache Expiration Window

This forum post suggests to do this:

Run this command on ADFS, then start/stop ADFS after this is ran (not restart) (looks like this is already set correctly based on your screenshot in one of the comments above)

Add-PSSnapin Microsoft.ADFS.PowerShell Set-AdfsRelyingPartyTrust –TargetName "[ourrelayingpartytrustreference]" –TokenLifeTime 10

Run on sharepoint server:

$sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-Timespan -Minutes 500) $sts.Update() iisreset

(I set it to 500 min here, but set it to however long you want it to be)

Did you try this yet? Hope this helps... sorry if it's just noise.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.