Wednesday, July 1, 2015

Active Directory Group Sync Issue with SharePoint 2013 Permissions

Issue
AD security group permissions are being used to control access in SharePoint 2013, however, changes to group membership in AD are not taking effect immediately in SharePoint 2013. In simple words, even after you remove a user from the AD security group - user is still able to access the site. If you add a new user to the AD security group, user still receives access denied error message in SharePoint.

Workaround - If you need to have the change take effect immediately, you can do an Application Pool recycle for that web application. 

Cause
In Windows Claims enabled web application (the default for SharePoint 2013), the logon token life time is by default 10 hours and cache life time is by default 10 minutes. Hence, the AD group modifications will not reflect immediately in SharePoint user sign-in. internally what happens is when a user accesses a SharePoint site, SharePoint checks the security token store cache for the user's claims. If the claim is found in the cache, SharePoint uses it to authorize the user. If not, SharePoint queries for claims again from the AD.

To check which values you currently have, try running the below:

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime
$sts.LogonTokenCacheExpirationWindow

Resolution
The value of token life time and cache expiration time can be set to the desired value per your needs.Lowering the token life time introduces more round trips to AD to authenticate the user, which means performance characteristics should be monitored to determine the appropriate lifetime.I have seen 10 minutes being recommended to use, but this is something that needs to be tested as it should be considered on a case by case scenario.If you would like to change the token life time, you can use the following PowerShell cmdlet to set the Windows token life time and cache expiration window to the desirable value.

The below example sets your WindowsTokenLifetime to 10minutes (10 hours is the default) and the Cache Expiration to 2 minutes (10 minutes is the default).

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = "00:10:00"
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 2)
$sts.Update()
iisreset 

Warning
If you set Token lifetime lesser than the token expiration window, you get this error message
"The context has expired and can no longer be used. Exception from HRESULT: 0x80090317"

No comments:

Post a Comment