1

We're in the process of diagnosing an issue where our on-premise ADFS servers stop accepting requests from the ADFS proxy servers for short (5m intervals).

One behavior that we're having difficulty understanding is that when ADFS stops responding, Outlook client users get prompted to re-authenticate, and get disconnected when the token request times out. One suggestion was that there is some sort of network session reset, but we have been unable to identify this happening on the network path for Outlook users.

Per the documentation and Microsoft support, users are issued login tokens with a default TTL of 8 hours. If that were true, why are the users being challenged to re-authenticate?

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
  • If the answers you were provided help you with your question, you should select one as an accepted answer. – mfinni Apr 14 '14 at 15:46

1 Answers1

0

You should gather some perfmon data to see if the server is under heavy load and whether load is distributed among the AD FS servers. Load balancers that are misconfigured (for example sticky sessions) can cause more traffic to one server than others in the farm.

Depending on the devices used to connect to Exchange Online, you may see more authentication traffic. Every time a connection is dropped and a new connection is established, Exchange may prompt the user for credentials. You may not see it if you clicked the save password option.At this point a logon will be done against AD FS using those credentials.

Incidentally the token lifetime for the O365 authentication platform is 1 hour by default. Not 8 hours. That 1 hour token is useful for passive applications (i.e. browser based) which use cookies for the session. They wont help in this case when new connections are constantly established by devices ( such as mail clients on phones/tablets).

maweeras
  • 2,674
  • 2
  • 16
  • 23