locked
Adjusting token lifetimes at the Web Application Proxy for external access

    Question

  • Does the Web Application Proxy or AD FS have any separate controls for adjusting token lifetimes to a different value via WAP than directly at AD FS? I can see there's a session cookie for EdgeAccessCookie that WAP issues but this seems to be entirely undocumented at present. I've poked around in C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config (also undocumented as far as I can tell) but I'm not finding anything there either. We used to have some of these controls (sort of) with TMG/UAG. Are they totally gone now? With the AD FS Proxy this was less of an issue because it was only publishing AD FS but this is something that I'd hope to be able to control with a Reverse Proxy. Any ideas?


    http://twitter.com/tristanwatkins http://tristanwatkins.com

    Monday, February 17, 2014 11:34 AM

All replies

  • Hmmm... There is a bit more about this on TechNet now, in part three of the Web Application Proxy planning guidance:

    After the user is authenticated, the AD FS server issues a security token, the ‘edge token’, containing the following information and redirects the HTTPS request back to the Web Application Proxy server:
    • The resource identifier that the user attempted to access.
    • The user’s identity as a user principal name (UPN).
    • The expiry of the access grant approval; that is, the user is granted access for a limited period of time, after which they are required to authenticate again.
    • Signature of the information in the edge token.
  • Web Application Proxy receives the redirected HTTPS request from the AD FS server with the edge token and validates and uses the token as follows:
    • Validates that the edge token signature is from the federation service that is configured in the Web Application Proxy configuration.
    • Validates that the token was issued for the correct application.
    • Validates that the token has not expired.
    • Uses the user identity when required; for example to obtain a Kerberos ticket if the backend server is configured to use Integrated Windows authentication.

    This suggests there may be some other expiration data in the EdgeAccessCookie (it may just be referring to the FedAuth cookie), but I still can't see any way to control that differently for external requests.


  • http://twitter.com/tristanwatkins http://tristanwatkins.com

Monday, February 17, 2014 12:29 PM