ADFS/WorkFolders keeps requiring all client machines to enter password RRS feed

  • Question

  • I configured ADFS with a WAP reverse proxy with a back-end Work Folders server. I configured the system with proper 3rd party certificates and everything connects fine both internally and externally. However after an amount of time, usually less than a couple days, client machines will ask for the current password. If I open the work folders control panel manually for domain joined machines and click credential manager, I am prompted to enter the password. The user name is already saved. Entering the password allows the machine to sync. For workplace join machines, I am prompted for the ADFS login page where I have to enter the username and password. This sync works as well once entering the password. The problem I have is that neither the domain joined internal machines or workplace join external machines will keep the password more than a day. I even had one machine prompt for the password within about 20 minutes after re-entering the credentials.

    All machines including ADFS server, WAP server, WorkFolders server, and client machines are fully updated. Clients machines are Windows 7 Pro and Windows 10. I need the Work Folders configuration on the client machine to never prompt for a password. Otherwise this utility is pointless.

    • Edited by JamRWil Wednesday, April 27, 2016 10:45 PM
    Wednesday, April 27, 2016 2:57 PM

All replies

  • Hi JamRWil,

    Thanks for your post.

    You could follow the article to troubleshoot Work Folders on Windows client


    Since the problem is more due to the settings of ADFS and authentication of ADFS, I suggest you could also discussed in Our ADFS forum for more professional support.


    Thanks for your support and understanding.

    Best Regards,

    Mary Dong

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Mary Dong Thursday, April 28, 2016 2:34 AM
    Thursday, April 28, 2016 2:33 AM
  • If a machine is not WorkPlace joined, the client will need to re-authenticate every 8 hours. There is no way around that.

    For WorkPlace joined machines - that should be once every 7-8 days. I'm trying to recall if that required ADFS specific config - I'll try and find out next week

    For domain joined machines - as long as they are on corp net, WorkFolders will try to silently authenticate using Windows Integrated Auth. This is available inbox in Win10 and a we shipped a QFE for Win8.1 but you should check the ADFS server that it allows that kind of auth (WIA)

    In a future update, we plan to update WorkFolders so that the need to provide credentials with ADFS is once a month or longer.

    Edit: See here for more info in general as well as how to configure ADFS to allow WorkFolders to auth using WIA: https://blogs.technet.microsoft.com/filecab/2014/07/07/using-adfs-authentication-for-work-folders/
    Friday, April 29, 2016 10:10 PM
  • Even still, the problem is you can't have users going to the control panel every 7 days. They are not IT pros. It has to be easy or the adoption is going to be zero.

    If a machine is domain joined but external going through the WAP/ADFS, would they still need to authenticate every 7 days?

    99% of my machines will be domain-deployed laptops by my department so there's that. The issue is that, often times, they are roaming with no internet. It could two weeks before they get back to internet and at that point all the work they did needs to pipe over to the WorkFolders server. I can't have them going to the control panel and re-entering credentials. Users will never do that. If the machine is local, then there is zero point in having a replication system to replicate to something internally. Maybe not zero in all circumstances, but the proponent is to have a file replicating technology to send info over the internet without interaction. If the user is required to interact, that means it won't happen. I had already followed those instructions and it did suppress and help the login for local machines (my test machine), but WorkFolders must work without interaction for domain machines that float outside the LAN for extended periods of time and return to internet connection at some point of their choosing.

    Monday, May 2, 2016 10:03 PM
  • I completely agree with you. The constant need to re-auth is a significant hurdle that we've heard from multiple source including our internal deployment within Microsoft.

    There are two areas that we are working on in order to improve this:

    1) Server 2016 ADFS adds support for device bound auth tokens which take a very long time to expire (30+ days) and we are adding support to WorkFolders for taking advantage of that

    2) We are working on adding support in the AAD App Proxy for WorkFolders and that will provide single sign on support (if you are using Azure AD for other products like Office365, Intune, etc) as well as similar auth token length as 1). In addition, it will remove the requirement for you to maintain a WAP deployment.

    Re: If a machine is domain joined but external going through the WAP/ADFS, would they still need to authenticate every 7 days? - it's all about WIA. If they are on the corp net with a Kerberos/NTLM token and your WAP/ADFS config allows WIA - they should not get prompted.

    Monday, May 2, 2016 11:20 PM
  • Thanks for the reply.

    How can I ensure that my WAP/ADFS config allows WIA?

    Tuesday, May 3, 2016 8:40 PM
  • See here please: https://support.microsoft.com/en-us/kb/2976918
    Tuesday, May 3, 2016 8:48 PM
  • I already performed that, but thanks.

    It doesn't make sense to replicate data internally and if external requires constant re-authorization, then I hope MS goes back to the drawing board.


    Tuesday, May 3, 2016 10:24 PM
  • Sorry to bump this thread after so long, its now 2018 and I'm experiencing these issues still. We have MS_WorkFoldersClient configured in our WIA agents and WindowsIntegratedFallbackEnabled set to true. The issue we face is domain joined machines face a token expiry after 8 hours.

    Non domain joined, workplace joined machines are fine - it's the domain joined ones with laptops that leave the organisation and are not on a VPN that experience the token expiry. 

    Have things moved on since the thread was made? I've done loads of research but am not having much luck.

    Saturday, July 28, 2018 7:00 AM
  • When using AD FS authentication, the remote user will be prompted for credentials every 8 hours if the device is not registered with the AD FS server. To reduce the frequency of credential prompts, you can enable the Keep Me Signed In (KMSI)featurebut the maximum single sign on period for a non-registered device is 7 days. To increase the SSO period you must register the device using either the Workplace Join feature or access Work Folders through Azure AD application proxy.

    Monday, July 30, 2018 4:44 AM
  • Hi Jeff,

    Thanks for the input, I already have workplace join setup, however these devices are domain joined and running through the workplace join wizard doesn't make any difference to the lifetime, it's my understanding workplace join is for non-domain joined devices.

    I wonder what is different about Azure AD application proxy vs the on premise version? It would be useful to be able to configure the on premise version the same.

    I'll take a look at the KMSI feature, 7 days is better than 8 hours.

    Monday, July 30, 2018 7:46 AM
  • According to this link the KMSI maximum lifetime is 24 hours, however the value in PowerShell can be set to any value it seems. I'll need to wait to see if it makes a difference.

    Monday, July 30, 2018 7:59 AM