Sunday, June 23, 2013

SharePoint Server 2013, Active Directory Groups and the access denied problem caused by token lifetime.

A while ago we experienced some issues when using Active Directory groups and SharePoint Server 2013. We added users to Active Directory groups which were added to SharePoint groups, but the users who got access using this method, still got access denied. After some investigation we found the problem.

In SharePoint 2013 all authentication is being handled through claims which are managed by the Security Token Service (STS). The STS is responsible for issuing security tokens to users. A user which has logged on to SharePoint will be authenticated and granted a token with his group membership. These tokens have a certain lifetime and will not be updated until they expire. The property which controls this is the WindowsTokenLifetime property – according to the documentation is it normally set to 1380 minutes or 23 hours -  see Set-SPSecurityTokenServiceConfig for more details. (On one of my SharePoint 2013 it seemed to be 10 hours).

Therefore users who had already logged on to the SharePoint Server did not get the required tokens for their new AD group membership until the token expired. You can however change the token expiration in the following way:

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = (New-TimeSpan -Minutes 15)
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes 15)
$sts.Update()

Changing the WindowsTokenLifeTime will probably have a performance impact since there will be a lot more requests going from the STS to your Active Directory domain controllers. I haven’t found clear guidance or best practices about this, so feel free to leave a comment.

1 comment:

Anonymous said...

Hi JOPX,

We're getting the exact same issue in our SP2013 environment.

Did you find any guidance on setting the WindowsTokenLifetime?

We're reluctant to change it as Microsoft probably set it to the default value for a good reason (hopefully!).

Matt