How to: SharePoint 2013 permissions controlled by AD Security Group will not update
You have a site, list, or library with permissions assigned to an Active Directory security group instead of a SharePoint group or individual. When you add a user to or remove a user from the security group within Active Directory, their permissions on the SharePoint site are not updated right away.
Step 1: Windows Token Lifetime within SharePoint
SharePoint creates an authentication token for each user that logs in to the site. This token includes, among other things, the user's membership in various AD security groups. By default, SharePoint caches this token for 10 hours, meaning that the user's permissions within SharePoint will not update for at least 10 hours.
Step 2: Checking the Windows Token Lifetime on the SharePoint 2013 server
To check how often the user's Windows Token is refreshed in SharePoint 2013, log in to the SharePoint 2013 server and run SharePoint Management Shell (run as an administrator). The default PowerShell instance will not recognize SharePoint commands, so it's best to run SharePoint Management Shell instead.
Enter the following PowerShell command in SharePoint Management Shell:
Get-SPSecurityTokenServiceConfig
This will give you a lot of information. You need to look through the information for the "WindowsTokenLifetime" setting. The default setting is 10:00:00.
Step 3: Changing the Windows Token Lifetime on the SharePoint 2013 Server
If you need to change the WindowsTokenLifetime settings, run the SharePoint Management Shell (as an administrator) on the SharePoint 2013 server.
Run the following commands to change the update interval from 10 hours to 1 hour (You can, of course, adjust the interval as needed):
$mysts=Get-SPSecurityTokenServiceConfig
$mysts.WindowsTokenLifetime=(New-TimeSpan -Minutes 60)
$mysts.Update()
Issues
SPSecurityTokenServiceConfig is not recognized
Resolution
Have you added the SharePoint Snapin for PowerShell?
Add-PSSnapin Microsoft.SharePoint.Powershell
While trying control the site security using Active directory security groups I found this issue where users inside those groups were having an Access Denied Error. I realize that the next day they were able to get into the site but newly added users wont.
I assume this was some kind of synchronization problem, but it turns out is a default behavior, SharePoint will cache this group membership info for about 24 hours.
The time out can be configure to a lower value:
$sptokensvc= Get-SPSecurityTokenServiceConfig
$sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$sptokensvc.Update()
iisreset
This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.
IMPORTANT: DO NOT SET THE LIFETIME VALUES LOWER THAN THE CHACHE EXPIRATION. If you do that the users will experience a ‘The context has expired and can no longer be used’ Error.
While trying control the site security using Active directory security groups I found this issue where users inside those groups were having an Access Denied Error. I realize that the next day they were able to get into the site but newly added users wont.
I assume this was some kind of synchronization problem, but it turns out is a default behavior, SharePoint will cache this group membership info for about 24 hours.
The time out can be configure to a lower value:
$sptokensvc= Get-SPSecurityTokenServiceConfig
$sptokensvc.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sptokensvc.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$sptokensvc.Update()
iisreset
This script will tell the token service that the claims will be valid for 1 minute and after that it will get the latest membership information from the Active Directory.
IMPORTANT: DO NOT SET THE LIFETIME VALUES LOWER THAN THE CHACHE EXPIRATION. If you do that the users will experience a ‘The context has expired and can no longer be used’ Error.