While trying control the site security using Active directory security groups I found this issue where users inside those groups were having an Access Denied Error. I realize that the next day they were able to get into the site but newly added users wont.
I assume this was some kind of synchronization problem, but it turns out is a default behavior, SharePoint will cache this group membership info for about 24 hours.
The time out can be configure to a lower value:
sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.
IMPORTANT: DO NOT SET THE LIFETIME VALUES LOWER THAN THE CHACHE EXPIRATION. If you do that the users will experience a ‘The context has expired and can no longer be used’ Error.