Saturday, October 25, 2014

SharePoint Active Directory Group Membership Sync Problem and Solution

Problem: In a SharePoint site where users are managed from AD security groups, newly added members to Active Directory security groups couldn't access SharePoint sites immediately. But the next day, they are able to login without any issues. Same way, users removed from a AD security group which is granted access to SharePoint sites, still able to access!

sharepoint ad group permissions not working
So, the catch here is: SharePoint AD group permissions not working as AD group permissions are not getting reflected in SharePoint immediately - So, they gets access denied! For example if you remove a user from the AD security group - user is still able to access the site. If you add a new user to the AD security group membership , user still receives access denied error message in SharePoint.

Root cause:
In SharePoint Web Applications configured to use Claims Based Authentication, When user hits SharePoint sites, SharePoint checks the security token store cache for the user's claims. If claims found in the cache, SharePoint uses it to authorize the user. If not, SharePoint queries for claims again from the AD.

Since, SharePoint has no clues on modified permissions on AD group, it periodically expires the claims token to sync with AD group permissions. By default, this sync happens once per 10 Hours!

Solution:
Lets use PowerShell to set the token life time and expiration schedules:
Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue

#Get Security Token Service Configuration
$STSConfig = Get-SPSecurityTokenServiceConfig

#Default value: 10 Hours
$STSConfig.WindowsTokenLifetime = (New-TimeSpan -minutes 2)

#Default value: 10 Minutes
$STSConfig.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$STSConfig.Update()

IISReset
Important: If you set Token lifetime lesser than the token expiration window, You’ll start seeing a message "The context has expired and can no longer be used. Exception from HRESULT: 0x80090317", So don't do it!

SharePoint ad group new members gets access denied - permission problem in Classic Mode?
On classic mode authentication, This behavior is controlled by a property:token-timeout by default, its set to 24 hours! You can adjust it accordingly.

To check the current timeout value: stsadm -o getproperty -propertyname token-timeout

E.g. stsadm -o setproperty -pn token-timeout -pv 5



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...