Setting the Security Token Expiration for IFD Claims-based Authentication

When configuring Microsoft Dynamics CRM 2011 to your Claims based Authentication a Authentication Required dialog box appears every 20 minutes.
By default the security token lifetime for claims–based authentication deployment using ADFS 2.0 (or above) is 60 minutes, however the token expiration dialog box will appear 20 minutes before the actual expiration.

When the Authentication required dialog box appears, you can either click Sign In, enter your credentials and stay connected to the session (a new security token will be issued). If you have only set Claims based Authentication and not IFD, the re-authentication will happen automatically.

If you click cancel, the token will expire as indicated. When that happens, a new browser session will need to be restarted in order to connect to Microsoft Dynamics CRM. All your data will be lost when the session expires.

In order to change the Token Lifetime from the default 60 minutes to a longer period of time, such as 2 hours or 8 hours, we can use the Windows PowerShell Adfs snap-in to configure this setting.

Follow the steps below to configure the Token Lifetime:

  1. On the Server where you have ADFS installed open a Windows PowerShell prompt
  2. Add the Microsoft ADFS PowerShell Snap-in. If you are running Windows Server 2012 R2, the snap-in is already loaded, so you can skip this step:
    PS> Add-PSSnapin Microsoft.Adfs.PowerShell
  3. Retrieve the Relying Party Token (this step is not required, but it is helpful to see the existing values):
  4. Change the value of the Token Lifetime by calling the Set Relying Part Trust PowerShell Command (the following command will set it to 8 hours (480 minutes):
    PS> Set-ADFSRelyingPartyTrust –TargetName "NAMEOFRELYINGPARTYTRUST" –TokenLifetime 480
  5. Close Powershell, and restart your Microsoft Internet Explorer Session and Connect to CRM. You should now be able to continue working on the application for 8 hours