Active Directory, Errors, PowerShell, SharePoint 2013

Access Denied for AD Group Users in SharePoint 2013

While trying control the site security using Active directory security groups I found this issue where users inside those groups were having an Access Denied Error. I realize that the next day they were able to get into the site but newly added users wont.

I assume this was some kind of synchronization problem, but it turns out is a default behavior, SharePoint will cache this group membership info for about 24 hours.

The time out can be configure to a lower value:

$sptokensvc= Get-SPSecurityTokenServiceConfig
$sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)

This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.

IMPORTANT: DO NOT SET THE LIFETIME VALUES LOWER THAN THE CHACHE EXPIRATION. If you do that the users will experience a ‘The context has expired and can no longer be used’ Error.


2 thoughts on “Access Denied for AD Group Users in SharePoint 2013

  1. I’m so glad I found this. Is there any way to clear the cache on demand? I’d like the cache to be long-lived and just flush the cache and let it reauthenticate when I make a change.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s