locked
ADFS 2016: how to set TokenLifeTime for non-claims-aware relying party trust? [Windows Server 2016] RRS feed

  • Question

  • Hello,

    I configured an ADFS + WAP environment for authentication and publishing of SharePoint sites.

    To use Kerberos, I have published my SharePoint as a non-claims-aware relying party

    On the ADFS side:

    However, if I use PowerShell, I only see the claims aware RPT:

    Get-AdfsRelyingPartyTrust | ft Name,TokenLifetime
    I get

    So not all Relying Party Trusts are shown.

    According to

     https://tristanwatkins.com/coordinating-adfs-2012-r2-token-lifetime-logon-prompt-enforce-revocation-session-duration-public-network/

    I want to set my TokenLifeTime with

    Set-ADFSRelyingPartyTrust -TargetName 'groupware.oad.icts.kuleuven.be (non-claims-aware)' -TokenLifetime 60
    But this can not be done.

    On my previous ADFS configuration (Windows Server 2012 R2), ALL RelyingPartyTrusts are shown.

    Has something changed here on Server 2016?

    How can I set my TokenLifeTime ?

    kind regards,

    Bart Plessers


    ----- Bart Plessers K.U.Leuven BELGIUM

    Tuesday, January 10, 2017 8:45 AM

All replies

  • I have the same issue on Server 2012 R2

    Set-AdfsRelyingPartyTrust has the -TokenLifetime property

    Set-AdfsNonClaimsAwareRelyingPartyTrust does not


    mmm... coffee...

    Friday, February 17, 2017 1:11 AM
  • Did anyone find a way to set/verify the TokenLifetime for a AdfsNonClaimsAwareRelyingPartyTrust on Server 2016 ??
    Thursday, October 25, 2018 11:52 AM
  • A potential workaround for some seems to be to set the tokenlifetime with the following command.  

    Set-AdfsWebApplicationProxyRelyingPartyTrust -TokenLifetime 480

    Im guessing it will extend the token life for all RP's going through the WAP but for my case it is OK.  I did some testing and the default TokenLifetime is 0 which ends up being 60 minutes.  As soon as I ran the command above I got a new token for 8 hours as I had hoped.

    I still think the TokenLifetime should be able to be set on the individual NonClaimsAareRelyingPartyTrust but this works for now.


    Wednesday, November 14, 2018 5:22 PM