ADFS 3.0 OAuth Token Refresh (Windows Server 2012r2)

Question

We've setup ADFS 3.0 (Windows Server 2012R2) in combination with Work Folders (as described here http://blogs.technet.com/b/filecab/archive/2014/03/03/deploying-work-folders-with-ad-fs-and-web-application-proxy-wap.aspx)

Everything works: domain and non-domain joined computers can connect to the workfolder and the sync works.

However, the OAUTH refresh token does not work. Hence the credentials must be re-entered after the initial token is expired.

The event log displays the following information:

Source AD FS Event ID: 1021 Encountered error during OAuth token request.

Additional Data Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthRefreshTokenExpiredException: MSIS9303: The OAuth refresh token received has expired. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateRefreshToken(OAuthRefreshToken refreshToken) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemRefreshToken(OAuthRefreshTokenRequestContext tokenContext)

Any suggestions on how to fix this?

Answer 1

I've been experiencing the exact same issue for about a month now. I have credential suppression enabled so it's not supposed to prompt. Of course, once the OAUTH token expires, I have to click "Manage Credentials" and it automatically sends my credentials and fixes the issue. I've worked a little with Microsoft on this issue and they told me this 1021 event is expected behavior as all tokens will periodically expire(obviously).

Are your clients on Windows 8.1? If so KB2976918 is supposed to fix it. This will be released August 14th. I'm still experiencing the error with Windows 7 Work Folders clients, which is unexpected. I'll update as I find out more.