|Subject:||ADFS Cookies/SSO Issue|
|Posted by:||twitczak (twitcz…@gmail.com)|
|Date:||17 Mar 2006|
I am using a Federated Web SSO with Forest Trust scenario in ADFS in a
development environment. I have configured a federated token-based web
application on the Corporate Network Federation Server for the internal
domain (Corporate) users.
I am experiencing the condition when browsing to the registered ADFS
resource application, the Integrated Authentication dialog box for
credentials is being presented to the user, even after logging in
successfully more than once, then closing the browser, or opening
another one in the same session. Thus, no SSO.
I am assuming, from what I can gather, client side cookies are not
being written. Maybe the question is, are there in fact HTTP cookies
written to the local cookie store on the client machine after
successful authentication with ADFS/AD and the resource? (C:\Documents
and Settings\User\Cookies). No documentation on technet points to an
answer, if yes, and what format/where. OR, Could this be a cookie path
issue? Currently my cookie path is set to the '/my directory' off of
the FQDN of the resource application.
I've turned logging on to full using registry hacks mentioned by MS and
can see the authentication cookie being passed to my resource from the
ADFS Server. Moreover, the user is logged in with a Kerberos session in
the Security portion of Event Log on the ADFS box, but each time the
credentials are passed, a new Kerberos session is created (odd). There
are no bad items in the event log being thrown by ADFS during this
time. Kerberos session lifetime is set to 60 minutes on the ADFS
server, so I have no idea why it's creating a new session each time a
MS recommended I enable automatic login in IE security settings and
trusted sites, but that bypasses the premise of web SSO, as Integrated
Authentication is still operating behind the scenes, despite the user
seeing it. Moreover, the IIS virtual directory of the resource is
configured to anonymous and NOT Int. Auth. The settings in ADFS under
the resource application allow ALL forms of authentication.
Any thoughts on this? Where's the client (browser) cookie? Any MVPs
want to chime in?