Update SharePoint Token Lifetime to update AD permissions faster

Since SharePoint 2013 only supports claim based authentication I discovered that updates in SharePoint Active Directory groups do not take effect immediately.

Thanks to Ryan McIntyre there’s a simple fix for that issue.

By adjusting the lifetime of the claims token you can shorten the time it takes to update the Active Directory group changes.

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# update SharePoint cache token lifetime

$SPContentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$SPContentService.TokenTimeout = (New-TimeSpan -minutes 5)
$SPContentService.Update()

# udpate SharePoint claims token lifetime

$SPSecurityTokenServiceConfig = Get-SPSecurityTokenServiceConfig
$SPSecurityTokenServiceConfig.WindowsTokenLifetime = (New-TimeSpan –minutes 5)
$SPSecurityTokenServiceConfig.FormsTokenLifetime = (New-TimeSpan -minutes 5)

# if you happen to set a lifetime that is shorter than the expiration window user will be blocked from accessing the site.
$SPSecurityTokenServiceConfig.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 4)
$SPSecurityTokenServiceConfig.Update()

Get the latest version of this code snippet here: https://gist.github.com/9950021

Leave a Reply