locked
CRM ADFS timeout RRS feed

  • Question

  • Hello,

    We have CRM 2013 and ADFS 2.1 (windows 2012) with IFD. So we use 2 different links to access CRM: internal and external. 

    Questions below are about internal access.

    1. We have configured different ADFS session timeouts for internal and external links. The problem here if we work with CRM with developer tools(using internal link) that distribute the links to the users the system returns external links and therefore  external timeout is applied to these sessions (even users access the system internally).

    Why does it happen? And how to avoid this by CRM config?

    We have improved this by proxying and rewriting external links with IIS ARR. So internally we access internal links directly and external links by IIS ARR proxying.

    2. Another and main issue. We have configured all timeouts (for internal and external links) for 24h. But CRM session expires randomly in spite of the ADFS timeouts. Why does it happen? I have read ADFS timeout logic articles but those do not explain this behavior. Any help is appreciated.

    Monday, March 2, 2015 1:27 PM

All replies

  • Its not related to crm, this is related to kerberos tickets token = 10hours lifetime

    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    • Proposed as answer by Daniel Ovadia Monday, March 2, 2015 3:20 PM
    Monday, March 2, 2015 2:03 PM
  • thanks. we will try this point.
    Monday, March 2, 2015 2:59 PM
  • I guess this is related to user tickets or to service as well?
    Monday, March 2, 2015 3:38 PM
  • yes user.

    https://technet.microsoft.com/en-us/library/bb742516.aspx?f=255&MSPPError=-2147217396#EDAA

    https://community.dynamics.com/crm/b/crmteamblog/archive/2012/09/19/enabling-kerberos-for-microsoft-dynamics-crm-2011.aspx

    http://windowsitpro.com/security/how-can-i-change-ticket-lifetime-used-kerberos

    And on the adfs server increase the lifetime or what you also could do is to renew with a task on the users machine the token in background without increasing anything..


    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Tuesday, March 3, 2015 8:34 AM
  • We have increased Kerberos ticket lifetime but the issue still remains. Are there other options that can impact crm session ?  Internet pages just say about ADFS timeouts but this looks not so evident.
    Monday, March 23, 2015 1:30 PM