This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Token Binding Id - http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid

Question
0

Sign in to vote

Having installed ADFS on win2016 I noticed a new claim

http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid

being issued by ADFS if logging on with IE/Edge on Win10.

I have not been able to find any documentation for that claim - but it seems related to SSL token binding, and could be a way to securely identify the user environment (which I have a need for)

Based on experiments it seems as if the browser token binding keys are not renewed on new connections - rather you can expect the same tokenbindingid value when logging on from the same browser. Is that a valid assumption?

Does the tokenbindingid indeed securely identify the user environment?

Is the new claim documented anywhere?

One of my win10 client machines have upgraded to win10 creative update - and this seems to have broken the token binding negotiation. Is the token binding feature possibly to premature to use?

Thanx peter

Monday, April 24, 2017 11:36 AM

All replies

0

Sign in to vote

Info can be found here: https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Wednesday, September 27, 2017 5:16 AM
0

Sign in to vote

I am running Windows 10, version 1703

The claim

http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid

has disappeared when logging in to win2016 ADFS.

I am not sure if the support for then tokenbinding claim has disappeared on win2016 ADFS or my client

Is there a way to get it back?

Wednesday, September 27, 2017 1:45 PM