Claims-based authentication and security token expiration

The lifetime of a default security token for a claims-based authentication deployment using AD FS 2.0 is 60 minutes. By default, Microsoft Dynamics CRM Server 2011 is configured to display the Authentication is Required dialog box 20 minutes before the token expires.

In the Authentication is Required dialog box, if you click Cancel, the token expires as indicated. When the security token expires, you will need to start a new browser session to Microsoft Dynamics CRM to access your data. Any unsaved changes will be lost.

In the Authentication is Required dialog box, if you click Sign In, the Sign-Out page appears. When you close the Sign-Out page, one of the following occurs:

  • If you have not deployed an Internet-facing deployment (IFD), you will automatically re-authenticate with domain credentials and a new security token will be issued.

  • If you have an IFD deployment, you will be required to re-authenticate by entering your credentials on the login page.

By using Windows PowerShell, you can change the TokenLifetime property for the relying party objects that you created from 60 minutes to a longer period, such as 480 minutes (8 hours):

  1. Open a Windows PowerShell prompt.

  2. Add the AD FS 2.0 snap-in to the Windows PowerShell session:

    PS > Add-PSSnapin Microsoft.Adfs.PowerShell 
  3. Configure the relying party token lifetime:

    PS > Get-ADFSRelyingPartyTrust -Name "relying_party"
    PS > Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480


    • relying_party is the name of the relying party that you created.

For more information, see: Setting the ADFS Timeout for CRM 2011 Internet Facing Deployments (IFD)

Send comments about this article to Microsoft.

© 2012 Microsoft Corporation. All rights reserved.