It’s not happening only on SharePoint 2013. You will be in the same\u00a0situation if you are using\u00a0Claims Based Authentication\u00a0with\u00a0SharePoint 2010.<\/em><\/p>\n <\/p>\n Out of the box behavior<\/span> <\/p>\n The explanation<\/span> <\/p>\n The Wikipedia explanation for STS<\/a>: <\/p>\n So, in our case:<\/p>\n <\/p>\n The problem<\/span><\/strong> <\/p>\n Solution<\/span><\/strong><\/p>\n When your access in SharePoint rely on the AD security groups you have to adjust the caching mechanism for the tokens and you have to adjust it properly everywhere (SharePoint and STS).<\/p>\n <\/p>\n More details<\/strong><\/span> <\/p>\n","protected":false},"excerpt":{"rendered":" It’s not happening only on SharePoint 2013. You will be in the same\u00a0situation if you are using\u00a0Claims Based Authentication\u00a0with\u00a0SharePoint 2010. Out of the box behavior You have a SharePoint Web Application configured to use Claims Based Authentication. You grant access to a SharePoint site through Active Directory Security Groups. You perform changes in the … Continue reading Active Directory Security Groups and SharePoint Claims Based Authentication<\/span>
\nYou have a SharePoint Web Application configured to use Claims Based Authentication. You grant access to a SharePoint site through Active Directory Security Groups. You perform changes in the membership of that Active Directory Security Group and you notice the changes are not reflected immediately on the SharePoint site.
\nFor example you remove one user account from the AD security group membership, but the user is still able to access the site, or you add a new user to the membership of that security group, but the user still receives access denied on\u00a0SharePoint.<\/p>\n
\nSharePoint Claims Based Authentication is working differently than SharePoint Classic Mode Authentication. When you have Claims Based Authentication, SharePoint is using the Security Token Service (STS) to provide\u00a0access tokens for server-to-server authentication.<\/p>\n
\n“A Security Token Service (STS) is a software based identity provider responsible for issuing security tokens, especially software tokens, as part of a claims-based identity system.<\/em>
\nIn a typical usage scenario, a client requests access to a secure software application, often called a relying party. Instead of the application authenticating the client, the client is redirected to an STS. The STS authenticates the client and issues a security token. Finally, the client is redirected back to the relying party and present the security token. The token is the data record in which claims are packed, and is protected from manipulation with strong cryptography. The software application verifies that the token originated from an STS trusted by it, and then makes authorization decisions accordingly. The token is creating a chain of trust between the STS and the software application consuming the claims. This process is illustrated in the Security Assertion Markup Language (SAML) use case, demonstrating how single sign-on can be used to access web services.”<\/em><\/p>\n\n
\nThe tokens have a lifetime (by default 10 hours). More than that, SharePoint by default will cache the AD security group membership details\u00a0for 24 hours.<\/span>\u00a0That means, once the SharePoint will get the details for a security group, if the AD security group will change, SharePoint will still use the cache.<\/p>\n\r\nAdd-PSSnapin Microsoft.SharePoint.PowerShell;\r\n\r\n$CS = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;\r\n#TokenTimeout value before\r\n$CS.TokenTimeout;\r\n$CS.TokenTimeout = (New-TimeSpan -minutes 2);\r\n#TokenTimeout value after\r\n$CS.TokenTimeout;\r\n$CS.update();\r\n\r\n$STSC = Get-SPSecurityTokenServiceConfig\r\n#WindowsTokenLifetime value before\r\n$STSC.WindowsTokenLifetime;\r\n$STSC.WindowsTokenLifetime = (New-TimeSpan -minutes 2);\r\n#WindowsTokenLifetime value after\r\n$STSC.WindowsTokenLifetime;\r\n#FormsTokenLifetime value before\r\n$STSC.FormsTokenLifetime;\r\n$STSC.FormsTokenLifetime = (New-TimeSpan -minutes 2);\r\n#FormsTokenLifetime value after\r\n$STSC.FormsTokenLifetime;\r\n#LogonTokenCacheExpirationWindow value before\r\n$STSC.LogonTokenCacheExpirationWindow;\r\n#DO NOT SET LogonTokenCacheExpirationWindow LARGER THAN WindowsTokenLifetime\r\n$STSC.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1);\r\n#LogonTokenCacheExpirationWindow value after\r\n$STSC.LogonTokenCacheExpirationWindow;\r\n$STSC.Update();\r\nIISRESET\r\n<\/pre>\n
\nSPWebService.ContentService
\n<\/a>SPWebService.TokenTimeout
\n<\/a>Get-SPSecurityTokenServiceConfig
\n<\/a>SPSecurityTokenServiceManager
\n<\/a>SPSecurityTokenServiceManager.WindowsTokenLifetime
\n<\/a>SPSecurityTokenServiceManager.FormsTokenLifetime
\n<\/a>SPSecurityTokenServiceManager.LogonTokenCacheExpirationWindow<\/a><\/p>\n