Hi,
I posted this in the Windows Server forum but was told to ask the question here as they did not know the answer. I'd greatly appreciate it if someone could assist/ advise.
Background:
I have set up a test 2012R2 environment which is as follows:
DC1.example.local: 192.168.2.90 (2012R2)
xyz-adfs.example.local: 192.168.2.150 (2012R2)
proxy.example.local : 192.168.2.160 (2012R2)
fileserver.example.local 192.168.2.114 (2012R2)
The AD domain is example.local and the external domain is example.net. I have a wildcard cert for *.example.net that I am using.
The ADFS service name is exampleadfs.
I've set this up using the guide at https://technet.microsoft.com/en-us/library/dn747208.aspx
My DNS entries are:
Internal DNS:
example.net (Forward Zone)> workfolders.example.net pointing to 192.168.2.114, exampleadfs.example.net pointing to 192.168.2.150, enterpriseregistration.example.net pointing to 192.168.2.150.
External DNS: workfolders.example.net, exampleadfs.example.net and enterpriseregistration.example.net all point to the WAN IP.
The intent was to get work folders working for domain and non domain joined devices, inside and outside the LAN.
This works fine internally and externally. The only issue is that as the authentication token expires after 8 hours, users have to re-enter their passwords which is not ideal. according to this : http://blogs.technet.com/b/filecab/archive/2014/07/07/using-adfs-authentication-for-work-folders.aspx if I workspace join the devices in question, the token expiration period becomes 7 days by default and can be adjusted. Originally, Workplace join did not work correctly and I got (on the client) event ID 102, source Workplace Join : Error code 0x80072EFD. a connection to the server could not be established. Could not connect to https://EnterpriseRegistration.example.local:443/Enrollmentserver/Contract.. This issue was resolved by adding a UPN for the external domain example.net and reinstalling ADFS and the Web Application Proxy.
However, I now have the following issues:
1) When I access https://exampleadfs.example.net/adfs/ls/idpinitiatedsignon.htm
from the ADFS server itself, I get a windows security prompt asking me to confirm a certificate for MS-Organization-Access. Clicking ok takes me to the ADFS sign in page. This only happens on the ADFS server and not the clients where I do not get this prompt. Is this normal behavior?
2) How would I change the default authentication token timeout period from 7 days and what is the maximum this period can be set to? The blog (http://blogs.technet.com/b/filecab/archive/2014/07/07/using-adfs-authentication-for-work-folders.aspx ) mentions you can do it but now how.
Thanks,
HA