Active Directory, Errors, PowerShell, SharePoint 2013

Access Denied for AD Group Users in SharePoint 2013

While trying control the site security using Active directory security groups I found this issue where users inside those groups were having an Access Denied Error. I realize that the next day they were able to get into the site but newly added users wont.

I assume this was some kind of synchronization problem, but it turns out is a default behavior, SharePoint will cache this group membership info for about 24 hours.

The time out can be configure to a lower value:

$sptokensvc= Get-SPSecurityTokenServiceConfig
$sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$sptokensvc.Update()
iisreset

This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.

IMPORTANT: DO NOT SET THE LIFETIME VALUES LOWER THAN THE CHACHE EXPIRATION. If you do that the users will experience a ‘The context has expired and can no longer be used’ Error.

Advertisements