Force Token Expiration
Question
Answers
-
Hi,
If session cookies are used, your requirement can be achieved.
If persistent cookies are used, you can disable it using the command below:
$sts = Get-SPSecurityTokenServiceConfig $sts.UseSessionCookies = $true $sts.Update() iisreset
The default LogonTokenCacheExpirationWindow value for the SharePoint STS is 10 minutes. You can change it to 1 minute, which means SharePoint needs to go to ADFS to refresh token every one minute.
How to change LogonTokenCacheExpirationWindow value:
$sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1) $sts.Update() iisreset
If you want to force current users’ token expiration, you can set TokenLifetime property of relying party in ADFS to 1 minute also. Then all the users will be forced off line within 1 minute.
How to set TokenLifetime property of relying party in ADFS:
Set-ADFSRelyingPartyTrust -TargetName "SPS 2013 ADFS" -TokenLifetime 1
A good article about how to set the Login Token Expiration Correctly for your reference:
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx
Best Regards,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Edited by Dean_Wang Friday, September 25, 2015 3:29 AM
- Proposed as answer by Dean_Wang Tuesday, October 6, 2015 2:32 AM
- Marked as answer by Wendy DZMicrosoft contingent staff Wednesday, October 7, 2015 2:47 AM
-
Hi,
It also works if you do an iisreset on all servers.
Yes, it will force all new claims.
If my reply is helpful to you, you can mark as answer.
Best Regards,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.- Proposed as answer by Dean_Wang Tuesday, October 6, 2015 2:32 AM
- Marked as answer by Wendy DZMicrosoft contingent staff Wednesday, October 7, 2015 2:47 AM
All replies
-
Hi,
Security Token Service takes part in SharePoint Authentication. When the SharePoint Authentication process is initiated, the login and password are passed to the Security Token Service. SharePoint then creates a FedAuth cookie based on the issued security token and adds it to the Response. Once the cookie is sent to the client it’s stored there in the local cookies folder. Every next request for the site is accompanied with the cookie, unless it’s expired. SharePoint reads the cookie from requests and provides access to the content without re-authentication.
The default expiration time is a setting of the Security Token Service. You can change the expiration time of the FedAuth cookie using command below:
$sts = Get-SPSecurityTokenServiceConfig $sts. FormsTokenLifetime = (New-TimeSpan –minutes value) $sts.Update() iisreset
Extending the FedAuth / Claims Auth Ticket in SharePoint 2010:
http://blog.tylerholmes.com/2012/04/extending-fedauth-claims-auth-ticket-in.html
More information about setting the Login Token Expiration for your reference:
http://blog.randomdust.com/2013/06/sharepoint-2013-claim-expiration-and-ad-sync/
Best Regards,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com. -
Hi,
If session cookies are used, your requirement can be achieved.
If persistent cookies are used, you can disable it using the command below:
$sts = Get-SPSecurityTokenServiceConfig $sts.UseSessionCookies = $true $sts.Update() iisreset
The default LogonTokenCacheExpirationWindow value for the SharePoint STS is 10 minutes. You can change it to 1 minute, which means SharePoint needs to go to ADFS to refresh token every one minute.
How to change LogonTokenCacheExpirationWindow value:
$sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1) $sts.Update() iisreset
If you want to force current users’ token expiration, you can set TokenLifetime property of relying party in ADFS to 1 minute also. Then all the users will be forced off line within 1 minute.
How to set TokenLifetime property of relying party in ADFS:
Set-ADFSRelyingPartyTrust -TargetName "SPS 2013 ADFS" -TokenLifetime 1
A good article about how to set the Login Token Expiration Correctly for your reference:
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx
Best Regards,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Edited by Dean_Wang Friday, September 25, 2015 3:29 AM
- Proposed as answer by Dean_Wang Tuesday, October 6, 2015 2:32 AM
- Marked as answer by Wendy DZMicrosoft contingent staff Wednesday, October 7, 2015 2:47 AM
-
Hi,
It also works if you do an iisreset on all servers.
Yes, it will force all new claims.
If my reply is helpful to you, you can mark as answer.
Best Regards,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.- Proposed as answer by Dean_Wang Tuesday, October 6, 2015 2:32 AM
- Marked as answer by Wendy DZMicrosoft contingent staff Wednesday, October 7, 2015 2:47 AM
