CRM 2011 ADFS and TokenLifetime

One of the new Dynamics CRM 2011 implementation requirements, if your organization is planning an IFD (Internet Facing Deployment) to work in CRM 2011, is to install and configure ADFS 2.0 and Claims-based authentication. There are some good videos on installing and configuring ADFS and CRM 2011 already on YouTube. I have used this one to get STARTED. However, it is complicated and based on your particular environment do not hesitate to reach out to us.

With that said, we are seeing some customers who want to increase the “TokenLifetime” parameter. This specifies how long a token should be valid for before expiring and requiring users to authenticate again. While setting the value is not difficult it is using features in Windows that CRM administrators are not used to using called “PowerShell.” PowerShell is Microsoft’s command line configuration utility. It has been around for several years, but for the most part is has only been used by Exchange and NT administrators to configure servers and exchange environments.

The following steps will allow you to get the names and current TokenLifetime settings and update them.

  • Logon to the ADFS Server
  • Click on Start/All Programs/Accessories/Windows PowerShell and then Right-Click on Windows PowerShell shortcut and select as Run-As Administrator

A DOS like window will appear

image

  • Type the following command to load the ADFS PowerShell library
    • Add-PSSnapin Microsoft.Adfs.PowerShell
  • After the library is loaded, you should run the following command to list the current values. This was you can change them back if needed.
    • Get-ADFSRelyingPartyTrust | fl name, TokenLifetime

Note: This will return you the name of the RelayingPartyTrust and the current TokenLifetime value

  • Type the following command to change the “TokenLifetime” value
    • Set-ADFSRelyingPartyTrust -Targetname "[Enter Name]" -TokenLifetime 480

Hope this helps.