Directory Programming .NET

Hi,

In the Microsoft technet document [1] on "How to Use Active Directory Federation Services with Outlook Web Access for Exchange 2007" they say the following:

"In ADFS, the timed logoff, also known as session expiration, does not interoperate with Outlook Web Access. You must turn off timed logoff in ADFS to use ADFS with Outlook Web Access."

Could someone tell me how to do this for an NT-token based ADFS web agent?

This question is a repost of another question posted on this forum [2], but in a new thread, which is more convenient.

Regards,

Philip


[1] http://technet.microsoft.com/en-us/library/bb691348(EXCHG.80).aspx
[2] http://directoryprogramming.net/forums/permalink/3644/3658/ShowThread.aspx#3658

I would like to know as well, because I never did find this setting.  My OWA is working, perhaps though it might timeout weird if left idle for a while, I haven't tried that yet.

Sorry, but I'm not even certain what they mean by "timed logoff" in ADFS.  Is the expectation that you set the token lifetime to a very large value or something else?  I've never seen a setting call "timed logoff" anywhere.

Perhaps someone like Jim will see this and can fill us in on what is meant by this.

My concern is that there needs to be some timeout mechanism, I'm hoping that I can set that using the "token lifetime" setting in ADFS.

Otherwise the user is always logged in as long as their browser is open.

I sent email to the document author for some clarification on this - I'm not sure I understand this statement 100% either

OK - we were all confused about this because the sentence that reads:

In ADFS, the timed logoff, also known as session expiration, does not interoperate with Outlook Web Access. You must turn off timed logoff in ADFS to use ADFS with Outlook Web Access.

 

is confusing :)

 

Something like this is probably a better way to put it:

 

In OWA, the timed logoff, also known as session expiration, does not interoperate with AD FS. You must turn off timed logoff in OWA to use with ADFS.

I'm still checking with folks - but I have confirmed there is no timed logoff functionality built in to ADFS - so there is no way to turn it off.

But what happens when your AD FS session expires. I see two session cookies at the resource side: _WebSsoAuth and _WebSsoAuth0.

I expect they have a timeout or lifetime as well. Isn't this something that is configurable?

But you're right, we don't want the OWA session to expire and get relogged in transparently. This can be quite confusing for a user, especially when this happens during a mail composition.
So if we disable the timed logoff in OWA, we fall back on the AD FS session management (which I hope is configurable).

Philip

To me turning off OWA's timeout sounds better than turning off the ADFS timeout.  So that is good news to me.

I've noticed some odd behavior with OWA after the ADFS cookies expire, but I haven't turned off any setting in OWA, I'll try turning off OWA's timeouts.

First, to explain the _webSSOAuth cookies, ADFS has a mechanism for splitting the ADFS login cookie into pieces to avoid exceeding the size allowed for a single cookie.  So, if you see a _webSSOAuth0 cookie, that happens just because the encoded/compressed SAML token in the cookie is large.  They can be arbitrarily large because you can have as many claims as you want in them.

Related to timeouts, it is configurable.  The thing to remember is that each FS issues a login cookie (or cookies) called _WebSSOAuth and each app also issues its own cookie with the same name.  The timeout for each one can be different, so it can get a little confusing as to when the user may be forced to reauthenticate.  For example, if the app times out after 30 minutes but the FS hasn't timed out yet, the FS will simply issue the user a new token for the app and they will get right back in without a credentials rechallenge.

Check the various token lifetime parameters in the property pages in the ADFS mmc to see where these are configured.

http://technet.microsoft.com/en-us/library/aa996373(EXCHG.80).aspx

this article mentions PublicClientTimeout and TrustedClientTimeout, are these the settings that need to change to turn off the timed logoff or session expiration?

I am assuming setting these to 0 will turn them off.

If so, would this statement be correct?

Because the OWA timeout/session expiration is not interoperable with ADFS you must turn it off in OWA.  To do this you will need to set both the
HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA\PublicClientTimeout
and the
HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA\TrustedClientTimeout
registry settings to zero.

it would appear that this does not work, unless it is cached somewhere, the ADFS timeout signs me out of the web application but I am always logged into the OWA

hopefully there will be a way for the user to be timed out of OWA for security reasons!

http://hellomate.typepad.com/exchange/2003/11/formsbased_auth.html

according to this article you can't set them below 1, so this might not be the way to turn it off

when changing them though an iis reset is required.