CRM 2011: Setting the ADFS Timeout for IFD

Once you deploy ADFS in a functional environment, the users will generally receive timeout requests, or requests to log back in, which can quickly become an issue within an 8 hour shift (480 minutes).

The solution is to set the ADFS Timeout. The ADFS timeout determines how long the claims token will live in the system before requiring a re-authentication or signin from the user. This can be set on the internal and external sides of ADFS. You will need to know the names of your ADFS relying party trusts.

To begin, open the ADFS Management Console:

ADFS Management Console

Open the left hand navigation, expand relying party trusts to find the display names:

relying party trusts

Now, run the Windows Powershell from the machine with ADFS installed.

Windows Powershell

Now from the powershell, start the PSSnapin for ADFS:


Using the internal relying party trust name from the ADFS wizard above, enter this command where the is the name of your internalcrm ADFS relying party trust.


The last line of the results specific TokenLifetime will say how long the current time out is set.


Set the timeout to 480 for 8 hours ( minute increments). Example below is (240).


Now, set the timeout is set. You can follow the same steps to review or set your external timeout as well. It’s not a good security practice to set your external lifetime greater than 1 hour, as somebody who logins in remotely and forgets to logout, the session will be active until that timeout period is reached.

Next Post