none
A question on SharePoint Security and Windows Groups

    Întrebare

  • Hello,

    I am using classic authentication on sp2010. If have granted rights to a windows AD Security group to a site. My requirement is that if a user is removed from the AD group. He/she should loose access instantaneously from SharePoint.

    Now consider the following scenario

    1. Monday: User is added to GroupA which has already Contribute Access to SiteA.

    2. Tuesday: User boots his machine and logs on to his desktop using his NT ID and password. He gets a token from AD which has the groups to which he belongs.

    3. Wednesday: The user is removed from the AD Group. but user does not off from his desktop so he maintains the token which he had got from AD on Tuesday.

    4. Thursday: User Access SiteA.

    Will he/she be able to access?

    So the question is how and when does Sharepoint (or Windows/IIS) resolve that the token which user has presented is old? also how does it determine whether the user belongs to a group?

    In this entire process? Is there any caching in AD Infrastructure which can fool SharePoint/IIS into believing that the user belongs to GroupA on Thursday?


    MSDNStudent Knows not much!

    4 iunie 2012 06:43

Toate mesajele

  • What happens when you perform steps 1-4 in your farm?


    Jason Warren
    Infrastructure Specialist

    13 iunie 2012 23:36
  • A first request to SharePoint has to be authenticated with AD first, so if the user is not a part a certain group by that time, he won't get access. You can leave the computer on all you want, but the session will expire (after 20 minutes or so), and the user will have to be authenticated again. AD changes will have to synced to every domain controller in the domain.

    So, in step 4, the user won't be able to access SiteA.


    Kind regards,
    Margriet Bruggeman

    Lois & Clark IT Services
    web site: http://www.loisandclark.eu
    blog: http://www.sharepointdragons.com

    14 iunie 2012 07:15
  •  You can leave the computer on all you want, but the session will expire (after 20 minutes or so), and the user will have to be authenticated again. AD changes will have to synced to every domain controller in the domain.

    Fantastic!! Can you point me to some documentation on MSDN which has this 20 minute thing documented?


    MSDNStudent Knows not much!

    14 iunie 2012 08:59
  • Hi,

    Marqriet is right.
    In Windows Authentication mode, a user is validated by setting a session cookie that contains an MSCSAuth ticket. No expiration date is specified for the cookie, and the cookie is deleted after the session expires. The session will expire due to inactivity.
    The timeout is defined in SessionStateSection Timeout, which is 20 minutes by default.

    You can see SessionStateSection Class [IIS 7 and higher] for more information:
    http://msdn.microsoft.com/en-us/library/ms691403(v=vs.90).aspx

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    • Marcat ca răspuns de MSDN Student 18 iunie 2012 06:44
    • Anulare marcare ca răspuns de MSDN Student 19 iunie 2012 20:14
    18 iunie 2012 05:59
    Moderator
  • Sorry one more thought came to my head.

    So if the user is somehow clicking refresh on the broswer, then his "cookie" session will not expire.

    This would mean that his token will not expire and he will continue to present his cached credentials. Would this mean that he will fool SharePoint into granting him access to the site even if the user has been removed from the AD group?

    sorry I know what I am asking is highly theoretical... and hypotheical... but I am just doing a threat analysis and its hard for me to really test this type of a scenario out.


    MSDNStudent Knows not much!

    19 iunie 2012 20:16