Issue
AD security group
permissions are being used to control access in SharePoint 2013, however,
changes to group membership in AD are not taking effect immediately in
SharePoint 2013. In
simple words, even after you remove a user from the AD security group - user is
still able to access the site. If you add a new user to the AD security group,
user still receives access denied error message in SharePoint.
Workaround - If you need to have the
change take effect immediately, you can do an Application Pool recycle for that
web application.
Cause
In
Windows Claims enabled web application (the default for SharePoint
2013), the logon token life time is by default 10 hours and cache life time is
by default 10 minutes. Hence, the AD group modifications will not reflect
immediately in SharePoint user sign-in. internally what happens is when
a user accesses a SharePoint site, SharePoint checks the security token store
cache for the user's claims. If the claim is found in the cache, SharePoint
uses it to authorize the user. If not, SharePoint queries for claims again from
the AD.
To check which values you
currently have, try running the below:
$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime
$sts.LogonTokenCacheExpirationWindow
Resolution
The value of token life time and
cache expiration time can be set to the desired value per your needs.Lowering the token life time introduces more round trips to AD to authenticate
the user, which means performance characteristics should be monitored to
determine the appropriate lifetime.I have seen 10 minutes being recommended
to use, but this is something that needs to be tested as it should be
considered on a case by case scenario.If you would like to change the token life time, you can use the
following PowerShell cmdlet to set the Windows token life time and cache
expiration window to the desirable value.
The below example sets your WindowsTokenLifetime
to 10minutes (10 hours is the default) and the Cache Expiration to 2 minutes (10
minutes is the default).
$sts =
Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = "00:10:00"
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 2)
$sts.Update()
iisreset
Warning
If you set Token
lifetime lesser than the token expiration window, you get this error message
"The context has expired and
can no longer be used. Exception from HRESULT: 0x80090317"