Please enter search query.
Search <product_name> all support & community content...
Article: 100031501
Last Published: 2025-01-23
Ratings: 0 0
Product(s): Veritas Alta Archiving, Veritas Alta eDiscovery
Problem
AD FS SSO changes in November 2015 Veritas Alta Archiving release
From the November 2015 quarterly release, Veritas Alta Archiving takes into account the date and time that the NotBefore and NotOnOrAfter conditions specify in SAML 2.0 assertions during single sign-on (SSO).The NotBefore value is the time from the AD FS server. If this time is in advance from that of the Veritas Alta Archiving authorization server, SSO logins will fail. To ensure that SSO continues to function we recommend that you set the NotBeforeSkew condition to allow for time discrepancies.
Solution
To set NotBeforeSkew, follow the appropriate instructions below for your version of AD FS.
Any time discrepancy is likely to be a matter of seconds, however this can vary. The NotBeforeSkew should be set to a minimum value of 1 minute. Please see the attachment if the PowerShell commands listed below have been translated.
AD FS 2.0 steps to set up NotBeforeSkew
The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.- Retrieve the name of the Relying Party Trust created to set up SSO for Veritas Alta Archiving:
- Open AD FS 2.0 Management.
- Expand Trust Relationships and click on Relying Party Trusts.
- Note the Display Name for the Relying Party Trust for Veritas Alta Archiving.
- Open PowerShell.
- Run the following command to add the ADFS snapin to your Powershell session:
Add-PSSnapin Microsoft.Adfs.Powershell - Run the following command to set the NotBeforeSkew:
Get-ADFSRelyingPartyTrust -name “displayname for your veritas alta archiving relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”
AD FS 2.1 steps to set up NotBeforeSkew
The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.- Retrieve the name of the Relying Party Trust created to set up SSO for Veritas Alta Archiving:
- Open AD FS Management.
- Expand Trust Relationships and click on Relying Party Trusts.
- Note the Display Name for the Relying Party Trust for Enterprise Vault.cloud.
- Open PowerShell.
- Run the following command to set the NotBeforeSkew:
Get-ADFSRelyingPartyTrust -name “displayname for your veritas alta archiving relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”
AD FS 3.0 steps to set up NotBeforeSkew
The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.- Retrieve the name of the Relying Party Trust created to set up SSO for Veritas Alta Archiving:
- Open AD FS Management.
- Expand Trust Relationships and click on Relying Party Trusts.
- Note the Display Name for the Relying Party Trust for Veritas Alta Archiving.
- Open PowerShell.
- Run the following command to set the NotBeforeSkew:
Get-ADFSRelyingPartyTrust -name “displayname for your veritas alta archiving relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”
Attachments
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.