Thursday, September 02, 2010 3:04 PM
I setup SharePoint 2010 Claims auth with AD FS 2.0 following this post: http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx. I have no access to the ADFS server, but I think they followed the steps as outlined. If I do an iisreset (or just recycle the app pool of the SharePoint site) I can login successfully using the remote credentials. Also I can under security in SharePoint search for and find users and roles from the remote ADFS server.
If I close my browser, open a new browser and go to the site I am prompted to login again (this is fine). I do, using the same credentials, and the login fails because I am redirected between the SP and ADFS servers until the ADFS server stops the redirecting. I have been doing some digging and I found this post: http://blogs.technet.com/b/speschka/archive/2010/08/09/setting-the-login-token-expiration-correctly-for-sharepoint-2010-saml-claims-users.aspx, which describes the situation I have in point # 3 at the bottom. I have tried setting the token time out as low as 1 second but this hasn't helped.
I have also, just to see, tried setting all the other lifetime settings to 1 second - but no luck. Because the initial login works I think the setup is correct, but something is maintaining some state that is causing the looping. If I do an iisreset, I get one good login attempt and then back to the looping situation.
Any ideas are very much appreciated!
Monday, September 06, 2010 10:21 AMModerator
http://blogs.technet.com/b/speschka/archive/2010/08/09/setting-the-login-token-expiration-correctly-for-sharepoint-2010-saml-claims-users.aspx says that you just need to change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime.
If you set the TokenLifetime to be 1 second, what could be the value of LogonTokenCacheExpirationWindows?
You can set the TokenLifetime to, say, 2 minutes, and use the follows PowerShell to update the LogonTokenCacheExpirationWindows to 1 minute:
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)