ADFS WCT parameter

  • 102 Views
  • Last Post 24 April 2017
kool posted this 24 April 2017

I'm troubleshooting a complex integration scenario where a vendor has their software behind their own ADFS instance. We have to federate with their ADFS in order to use their software. IOW, I set their ADFS up as an RP in our ADFS and they do the converse, setting up our ADFS as a Claims Trust Provider in their ADFS. Somewhere in this process the WCT request parameter is having its time value changed by 7 hours which to me looks like a time zone issue. Has anyone else seen this before?

I looked at the WS-Fed spec (http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html, section 13.2.1) which states that the WCT parameter is optional but if included must be in UTC which makes complete sense. It goes on to say in section 13.6.1 that an IP/STS implementer may require the WCT parameter. Are there any knobs in ADFS that allows one to tweak the WCT parameter? Is there a system setting that would cause a time-zone shift to be applied? I presume that having the ADFS system time and time-zone set correctly would obviate this but I wonder if something else could be contributing to the time shift.

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
joe posted this 24 April 2017

Hi Eric,
I'd look at the behavior of their servers at the HTTP level with Fiddler or Httpwatch or something like that and compare the values of the "Date" response header that comes back from each server response. Those are always in UTC so if the server clocks are all actually correct, you'll see that they are sequential and hopefully just a few ms apart as well.
If their server clock is wrong (sounds like it), they need to fix it and then also ensure it is synced with a valid external time source as well. Federation is like Kerb and really does need synced clocks to work well.
HTH!
Joe


show

Anthony.Vandenbossche posted this 24 April 2017

Hi Eric,

 

I have seen a similar issue that was indeed due to inconsistent time. In this case, time was skewed in the ADFS servers at the IDP side.



 

Kr,

 


ANTHONY VAN DEN BOSSCHE


Technical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59


show

Close