none
ADFS 2.0 "time window" configuration question RRS feed

  • Question

  • We have problems with ADFS SSO to a cloudservice, it seems like their clock/time sometimes is "earlier" that ours and we get an error:

    Assertion condition was not fulfilled 2013-01-08T15:19:15.393+01:00 must not be before 2013-01-08T14:19:15.814Z, issueInstant in assertion = 2013-01-08T14:19:15.814Z

    Sometimes it works and sometimes not...

    Is there a way to configure ADFS to be more "forgiving" or if not, make set the ADFS servers clocks at -x seconds/minutes?

    Not sure if the above qustions would be a good solution... any sugestions would be very welcome!

    Tuesday, January 8, 2013 2:51 PM

Answers

  • that�??s like any time skew of member servers compared with DC impacting kerberos authentication.
     
    The default allowed time skew in ADFS for every relying party trust is 0 (zero). This can be configured on a per relying party trust basis.
     
    Add-PSSnapin microsoft.adfs.powershell
    (Get-ADFSRelyingPartyTrust "<relying party trust display name>").NotBeforeSkew
     
    Set-ADFSRelyingPartyTrust "<relying party trust display name>" -NotBeforeSkew X
     
    where X is a integer value in MINUTES
     
    -NotBeforeSkew <int>
        Specifies the skew for the time stamp that marks the beginning of the validity period. The higher this number is, the further back in time the validity
         period will begin with respect to the time that the claims are issued for the relying party. By default, this value is 0. Use a number above 0 if vali
        dation is failing on the relying party because the validity period has not yet begun.
     
     
    it is always better to solve the real issue instead negating it. Remember though, how much skew is enough or acceptable for you?
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "schizmatrix" wrote in message news:4653cfef-1e8f-47a1-8bf7-e83ae846aa61@communitybridge.codeplex.com...

    We have problems with ADFS SSO to a cloudservice, it seems like their clock/time sometimes is "earlier" that ours and we get an error:

    Assertion condition was not fulfilled 2013-01-08T15:19:15.393+01:00 must not be before 2013-01-08T14:19:15.814Z, issueInstant in assertion = 2013-01-08T14:19:15.814Z

    Sometimes it works and sometimes not...

    Is there a way to configure ADFS to be more "forgiving" or if not, make set the ADFS servers clocks at -x seconds/minutes?

    Not sure if the above qustions would be a good solution... any sugestions would be very welcome!


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Tuesday, January 8, 2013 7:44 PM
    Moderator

All replies

  • that�??s like any time skew of member servers compared with DC impacting kerberos authentication.
     
    The default allowed time skew in ADFS for every relying party trust is 0 (zero). This can be configured on a per relying party trust basis.
     
    Add-PSSnapin microsoft.adfs.powershell
    (Get-ADFSRelyingPartyTrust "<relying party trust display name>").NotBeforeSkew
     
    Set-ADFSRelyingPartyTrust "<relying party trust display name>" -NotBeforeSkew X
     
    where X is a integer value in MINUTES
     
    -NotBeforeSkew <int>
        Specifies the skew for the time stamp that marks the beginning of the validity period. The higher this number is, the further back in time the validity
         period will begin with respect to the time that the claims are issued for the relying party. By default, this value is 0. Use a number above 0 if vali
        dation is failing on the relying party because the validity period has not yet begun.
     
     
    it is always better to solve the real issue instead negating it. Remember though, how much skew is enough or acceptable for you?
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "schizmatrix" wrote in message news:4653cfef-1e8f-47a1-8bf7-e83ae846aa61@communitybridge.codeplex.com...

    We have problems with ADFS SSO to a cloudservice, it seems like their clock/time sometimes is "earlier" that ours and we get an error:

    Assertion condition was not fulfilled 2013-01-08T15:19:15.393+01:00 must not be before 2013-01-08T14:19:15.814Z, issueInstant in assertion = 2013-01-08T14:19:15.814Z

    Sometimes it works and sometimes not...

    Is there a way to configure ADFS to be more "forgiving" or if not, make set the ADFS servers clocks at -x seconds/minutes?

    Not sure if the above qustions would be a good solution... any sugestions would be very welcome!


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Tuesday, January 8, 2013 7:44 PM
    Moderator
  • Hi,

    If the above suggestions cannot fix the issue for you.

    Please refer to the following forum which is much more suited for ADFS related issue:

    Claims based access platform (CBA), code-named Geneva

    http://social.msdn.microsoft.com/Forums/en/Geneva/threads

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    • Proposed as answer by Sandesh Dubey Wednesday, January 9, 2013 9:59 AM
    Wednesday, January 9, 2013 2:40 AM
    Moderator
  • that�??s like any time skew of member servers compared with DC impacting kerberos authentication.
    The default allowed time skew in ADFS for every relying party trust is 0 (zero). This can be configured on a per relying party trust basis.
    Add-PSSnapin microsoft.adfs.powershell
    (Get-ADFSRelyingPartyTrust "<relying party trust display name>").NotBeforeSkew
    Set-ADFSRelyingPartyTrust "<relying party trust display name>" -NotBeforeSkew X
    where X is a integer value in MINUTES
    -NotBeforeSkew <int>
        Specifies the skew for the time stamp that marks the beginning of the validity period. The higher this number is, the further back in time the validity
         period will begin with respect to the time that the claims are issued for the relying party. By default, this value is 0. Use a number above 0 if vali
        dation is failing on the relying party because the validity period has not yet begun.
    it is always better to solve the real issue instead negating it. Remember though, how much skew is enough or acceptable for you?

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "schizmatrix" wrote in message news:4653cfef-1e8f-47a1-8bf7-e83ae846aa61@communitybridge.codeplex.com...

    We have problems with ADFS SSO to a cloudservice, it seems like their clock/time sometimes is "earlier" that ours and we get an error:

    Assertion condition was not fulfilled 2013-01-08T15:19:15.393+01:00 must not be before 2013-01-08T14:19:15.814Z, issueInstant in assertion = 2013-01-08T14:19:15.814Z

    Sometimes it works and sometimes not...

    Is there a way to configure ADFS to be more "forgiving" or if not, make set the ADFS servers clocks at -x seconds/minutes?

    Not sure if the above qustions would be a good solution... any sugestions would be very welcome!


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    This sounds like a solution! I'll give it a try and report back.

    Until then, thatnks a lot!

    Wednesday, January 9, 2013 3:08 PM
  • I set the notbeforeskew using this syntax (the proposed one didn't work for me):

    Set-ADFSRelyingPartyTrust -TargetName "relying party trust display name" -NotBeforeSkew 2

    Thanks!

    Thursday, January 10, 2013 4:17 PM
  • you are right...
     
    WRONG SYNTAX:
    Set-ADFSRelyingPartyTrust "<relying party trust display name>" -NotBeforeSkew X
    where X is a integer value in MINUTES
     
    RIGHT SYNTAX:
    Set-ADFSRelyingPartyTrust -TargetName "<relying party trust display name>" -NotBeforeSkew X
    where X is a integer value in MINUTES
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "schizmatrix" wrote in message news:73df55d8-2072-4760-beff-d677e94fe5d1@communitybridge.codeplex.com...

    I set the notbeforeskew using this syntax (the proposed one didn't work for me):

    Set-ADFSRelyingPartyTrust -TargetName "relying party trust display name" -NotBeforeSkew 2

    Thanks!


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Sunday, January 13, 2013 8:25 PM
    Moderator