locked
Extend expiry of MSISAuth cookie? RRS feed

  • Question

  • Hi Guys,

    The MSISAuth cookie that AD FS 3.0 sets after successfully authenticating a user, is set to expire at the end of the session. This is quite inconvenient for browsers or users that can't authenticate using NTLM for whatever reason, as they're prompted for credentials any time AD FS needs to authenticate them, which can be many times a day.

    Does anyone know how to extend the expiry of the MSISAuth cookie to a few days or a week? My persistent googling hasn't turned up anything helpful.


    Tom Wardrop


    • Edited by TomWardrop Thursday, May 25, 2017 11:19 PM
    Thursday, May 25, 2017 11:17 PM

Answers

All replies

  • You can play with the Set-ADFSProperties -WIASupportedUserAgents ... to decide what browsers will do the windows integrated authentication.

    For the MSISAuth cookie, it is a session cookie valid for 8 hours. Because it is a session cookie, it dies when the browser sessions is terminated (when the user closes the browser). If the device is enrolled with the Device Registration Service, this cookie will be persistent and valid for a week. But that if you leverage the DRS service.

    You can also make it a persistent cookie for everyone  (with the associated risks of persistent cookies) with Keep Me Signed In option (see KMSI here: https://technet.microsoft.com/en-us/itpro/powershell/windows/adfs/set-adfsproperties and here https://docs.microsoft.com/en-ca/windows-server/identity/ad-fs/operations/ad-fs-2016-single-sign-on-settings ) but this is for Form Based Authentication only.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 26, 2017 2:03 PM
  • Awesome, thanks for all the info Pierre.`Set-ADFSProperties -WIASupportedUserAgents` has tied me over for the time being, but I'll have to explore the other options moving forward.

    Thanks again, much appreciated.


    Tom Wardrop

    Tuesday, June 13, 2017 2:31 AM