locked
Clear-SPDistributedCacheItem not working RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

    I'm working on a SharePoint 2016 on premises environment.

    Adding users to AD Groups doesn't affect permission unless I wait 24 hours... as far as I know this is the aspected behaviour.

    Clearing  DistributedLogonTokenCache should make things work but it doesn't, I've tried running this command without any luck:

    Clear-SPDistributedCacheItem -ContainerType DistributedLogonTokenCache

    This is definetly not working, the only thing I can do is IISRESET or decresing token expration timeout.

    Is there an easier way to do that?


    Friday, March 2, 2018 3:55 PM

All replies

  • Question
    Sign in to vote
    2
    Sign in to vote

    Hi Maurizio Angeli,

    SharePoint 2013/2016 Claim-based authentication using STS (security token service) to provide access tokens for server to server authentication. token life time is 10 hours by default and SharePoint cache the AD security details for 24 hours ( the default case you already talking about ). then you either wait until SharePoint do re-issue tokens using STS or execute power-script for reducing the token life time . the following script achieve your need .

    Original Post ACTIVE DIRECTORY SECURITY GROUPS AND SHAREPOINT CLAIMS BASED AUTHENTICATION

    Add-PSSnapin Microsoft.SharePoint.PowerShell;
 
$CS = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
#TokenTimeout value before
$CS.TokenTimeout;
$CS.TokenTimeout = (New-TimeSpan -minutes 2);
#TokenTimeout value after
$CS.TokenTimeout;
$CS.update();
 
$STSC = Get-SPSecurityTokenServiceConfig
#WindowsTokenLifetime value before
$STSC.WindowsTokenLifetime;
$STSC.WindowsTokenLifetime = (New-TimeSpan -minutes 2);
#WindowsTokenLifetime value after
$STSC.WindowsTokenLifetime;
#FormsTokenLifetime value before
$STSC.FormsTokenLifetime;
$STSC.FormsTokenLifetime = (New-TimeSpan -minutes 2);
#FormsTokenLifetime value after
$STSC.FormsTokenLifetime;
#LogonTokenCacheExpirationWindow value before
$STSC.LogonTokenCacheExpirationWindow;
#DO NOT SET LogonTokenCacheExpirationWindow LARGER THAN WindowsTokenLifetime
$STSC.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1);
#LogonTokenCacheExpirationWindow value after
$STSC.LogonTokenCacheExpirationWindow;
$STSC.Update();
IISRESET

    Useful Posts

    https://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/

    https://www.vioreliftode.com/index.php/active-directory-security-groups-and-sharepoint-claims-based-authentication/

    i hope this information will help you

    Best Regrads, Ahmed Madany MCTS @twitter http://twitter.com/ahmed_madany @Blog http://ahmedmadany.wordpress.com @LinkedIn http://eg.linkedin.com/pub/ahmed-madany/35/80/2b6

    • Proposed as answer by Sara Fan Monday, March 5, 2018 5:45 AM
    • Marked as answer by Maurizio Angeli Monday, March 5, 2018 9:08 AM
    • Unmarked as answer by Maurizio Angeli Monday, March 12, 2018 11:05 AM
    • Unproposed as answer by Maurizio Angeli Monday, March 12, 2018 11:05 AM
    Saturday, March 3, 2018 10:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Maurizio Angeli,

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, March 5, 2018 5:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Ahmed,

    thank you for the reply, I tried but the script broke all sites with publishing enabled.

    This seems to be a SharePoint 2016 bug:

    https://onehundredwatt.wordpress.com/2016/12/21/sharepoint-un-representable-datetime-issue-with-publishing-sites/

    https://sharepointumar.wordpress.com/2017/12/03/sharepoint-publishing-cache-manager-has-timed-out/

    I resetted all token configurations and now it's working. I used this powershell:

    $CS = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$CS.TokenTimeout = (New-TimeSpan -days 1);
$CS.update();
 
$STSC = Get-SPSecurityTokenServiceConfig
$STSC.WindowsTokenLifetime = (New-TimeSpan -hours 10);
$STSC.FormsTokenLifetime = (New-TimeSpan -hours 10);
$STSC.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 10);
$STSC.Update();


    • Edited by Maurizio Angeli Monday, March 12, 2018 11:11 AM
    • Proposed as answer by Sara Fan Tuesday, March 13, 2018 7:30 AM
    Monday, March 12, 2018 11:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Maurizio Angeli,

    It is very happy that the issue is resolved.

    Thank you for your sharing and it will help others have the same issue.

    You could mark your reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 13, 2018 7:30 AM