Token Binding Id - http://schemas.microsoft.com/2015/12/devicecontext/claims/tokenbindingid RRS feed

  • Question

  • Having installed ADFS on win2016 I noticed a new claim


    being issued by ADFS if logging on with IE/Edge on Win10.

    I have not been able to find any documentation for that claim - but it seems related to SSL token binding, and could be a way to securely identify the user environment (which I have a need for)

    Based on experiments it seems as if the browser token binding keys are not renewed on new connections - rather you can expect the same tokenbindingid value when logging on from the same browser. Is that a valid assumption?

    Does the tokenbindingid indeed securely identify the user environment?

    Is the new claim documented anywhere?

    One of my win10 client machines have upgraded to win10 creative update - and this seems to have broken the token binding negotiation. Is the token binding feature possibly to premature to use?

    Thanx peter

    Monday, April 24, 2017 11:36 AM

All replies

  • Info can be found here: https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, September 27, 2017 5:16 AM
  • I am running Windows 10, version 1703 

    The claim 


    has disappeared when logging in to win2016 ADFS.

    I am not sure if the support for then tokenbinding claim has disappeared on win2016 ADFS or my client

    Is there a way to get it back?

    Wednesday, September 27, 2017 1:45 PM