The connection between the Clocktimizer application and AD often encounters an expired authentication token which can result in errors In this case, restarting the application should fix the issue. To restart the application, please go to the IIS on the webserver and recycle the app pool.



To avoid this kind of issue in the future, we would recommend that you upgrade to ADFS, using WS-Federation or OpenID Connect. To do so, follow the steps below. Please note that in case you're running Clocktimizer on-premise, you need to make sure that it is running on the https protocol.


WS-Federation

To set up authentication via WS-Federation, you first need to set up an app registration. The process is documented here. Please note that you do NOT need to set up the Azure AD app registration, you can ignore that paragraph.


The Wt Realm is https://yourdomain.clocktimizer.com/


Please ensure that the realm ends with the trailing slash as seen above.


You need to configure the following claims:

  • Name ID
  • E-mail
  • Groups

Once this has been set up, you need to provide us with the metadata address. It should look like this:

https://{ADFS FQDN}}/FederationMetadata/2007-06/FederationMetadata.xml



OpenID Connect

To use OpenId Connect for authentication, you should set up an app registration in ADFS. This process is documented here.


The metadata Address contains information on the authentication endpoints that should be used in the OpenId Connect authentication flow.


It should look something like this: https://{domain}/.well-known/openid-configuration


The metadata address should be accessible from Azure.

The Client Identifier uniquely identifies the app registration within your AD FS setup. It will look like a GUID.


Once you set up everything, please send us the metadata address and the client identifier.