Link to Dynamics CRM Wiki Home Page

Once you deploy ADFS in a functional environment, the users will generally receive timeout requests, or requests to log back in, which can quickly become an issue within an 8 hour shift (480 minutes).

From the Claims Based authentication and security Token Authentication page, -

The lifetime of a default security token for a claims-based authentication deployment using AD FS 2.0 is 60 minutes. By default, Microsoft Dynamics CRM Server 2011 is configured to display the Authentication is Required dialog box 20 minutes before the token expires.

In the Authentication is Required dialog box, if you click Cancel, the token expires as indicated. When the security token expires, you will need to start a new browser session to Microsoft Dynamics CRM to access your data. Any unsaved changes will be lost.

In the Authentication is Required dialog box, if you click Sign In, the Sign-Out page appears. When you close the Sign-Out page, one of the following occurs:

  • If you have not deployed an Internet-facing deployment (IFD), you will automatically re-authenticate with domain credentials and a new security token will be issued.

  • If you have an IFD deployment, you will be required to re-authenticate by entering your credentials on the login page.

The solution is to set the ADFS Timeout. The ADFS timeout determines how long the claims token will live in the system before requiring a re-authentication or signin from the user. This can be set on the internal and external sides of ADFS. You will need to know the names of your ADFS relying party trusts.

To begin, open the ADFS Management Console:


Open the left hand navigation, expand relying parting trusts to find the display names:

Now, run the Windows Powershell from the machine with ADFS installed.

For Windows 2008 Server, you will need to add the PSSnapin from the ADFS Command Prompt:

(In Windows 2012 and later, the ADFS role is pre-installed and you can move on to the next step.)

Using the Internal Relying Party Trust Display Name from the ADFS wizard above, enter this command where the is the name of your internalcrm ADFS Relying Party Trust Display Name.


The last line of the results specific TokenLifetime will say how long the current time out is set.

Set the timeout to 480 for 8 hours ( minute increments). Example below is (240).

Now, set the timeout is set. You can follow the same steps to review or set your external timeout as well. It's not a good security practice to set your external lifetime greater than 1 hour, as somebody who logins in remotely and forgets to logout, the session will be active until that timeout period is reached.

If you find my support topics interesting, please read more on