1 min read

Update SharePoint Token Lifetime to update AD permissions faster

April 3, 2014

Since SharePoint 2013 only supports claim based authentication I discovered that updates in SharePoint Active Directory groups do not take effect immediately.

Thanks to Ryan McIntyre there’s a simple fix for that issue.

By adjusting the lifetime of the claims token you can shorten the time it takes to update the Active Directory group changes. 

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# update SharePoint cache token lifetime

$SPContentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$SPContentService.TokenTimeout = (New-TimeSpan -minutes 5)
$SPContentService.Update()

# udpate SharePoint claims token lifetime

$SPSecurityTokenServiceConfig = Get-SPSecurityTokenServiceConfig
$SPSecurityTokenServiceConfig.WindowsTokenLifetime = (New-TimeSpan minutes 5)
$SPSecurityTokenServiceConfig.FormsTokenLifetime = (New-TimeSpan -minutes 5)

# if you happen to set a lifetime that is shorter than the expiration window user will be blocked from accessing the site.
$SPSecurityTokenServiceConfig.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 4)
$SPSecurityTokenServiceConfig.Update()

Get the latest version of this code snippet here: https://gist.github.com/9950021

Categories:  SharePoint

Tags:  active directory , group , sharepoint , time to live , token

comments powered by Disqus