Sunday, June 12, 2011

Security Token Service (STS) and Sharepoint infinite loop

If you use Sharepoint 2010 with STS you might encounter with a problem infinite loop. I actually created a STS and make it trusted to work with SharePoint 2010. Before i tell you what the problem could be, let me explain how the STS work with Sharepoint.

How STS work?
When any user comes to SharePoint, SharePoint redirects the user to STS Token provider site. Its the responsibility of STS Token issuer site to authenticate user and issue the user a security Token. Security tokens consist of a collection of identity claims (such as a user's name, role, or an anonymous identifier).

Now comes to the problem:
In my scenario, the SharePoint redirects the user redirects to STS provider login page. User enters Username and Password, the user got authencticated and redirected back to SharePoint. But SharePoint redirects back the user to STS Provider. But for STS the user is already authenticated so redirected back again to SharePoint and so on. For SharePoint not a valid Logon Token but for STS provider its a valid logon(As token lifetime was 5 mins). The problem was the Logon Token was expiring when the the users comming to SharePoint. I googled alot and found somewhere that problem is with LogonTokenCacheExpirationWindow

Let me first tell how LogonTokenCacheExpirationWindow works?
  1. If the token lifetime is 5 minutes and LogonTokenCacheExpirationWindow value is 4 minutes, the session cookie will be valid for only 1 minute, and after that minute you will get redirected to authenticatate.
  2. If the token lifetime is 5 minutes and LogonTokenCacheExpirationWindow value is 6 minutes, the session cookie will be delete immidiately because token life is less than expiraryion window.
  3. If the token lifetime is 5 minutes and LogonTokenCacheExpirationWindow value is 5 minutes. This was in my case.
To overcome this problem either increase token lifetime or you can set LogonTokenCacheExpirationWindow to minimum

For second solution open Command Shell and type following commands:

$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)


  1. Nice post..Explained the cause.

    But tried the above cmdlet even the same case..And also some times it is taking the last logged in user's session directly without selection of sts provider in login page..



Popular Posts