Can Multiple SAML Tokens exist for the same user in SharePoint Distributed Cache


  • Hi,

    We have developed a SharePoint Webapplication with Claims authentication ,where IBM Tivoli Federated identity manager is our identity provider.

    There are few changes at the Infrastructure level to tell the information ,whether the user originated from Internet or Intranet.

    So the SAML Token which I receive will contain the claims my Employee ID,Email,AccessPath(Internet/Intranet).

    Based on the AccessPath setting ,in our sharepoint code  we have handled the user not to download the documents and if he is accessing it from Intranet ,we have allowed him to download the copy of the document.

    Since the SAML Token is kept in distributed cache,sometimes the user is able to download the document even if he is accessing from Internet.

    A couple of questions need to be clarified

    1) Does the Distributed cache maintain two seperate copies of tokens for the same User account?

    2) In our farm,Since each WFE acting as a cache host,Does the distributed cache takes some time to replicate the logon tokens between WFE`s ,even though its called as a Shared Cache?

    3) If sharepoint is maintaining a single copy of Token for each user account how can we achieve the functionality of blocking of downloading of files if accessed through internet?

    Any ideas?

    • Edited by Venu545 Monday, March 27, 2017 9:04 AM
    Monday, March 27, 2017 4:53 AM

All replies

  • Hi,


    We are currently looking into this issue and will give you an update as soon as possible.


    Best Regards,


    Dean Wang 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, March 31, 2017 1:59 AM
  • What is the value of:



    Trevor Seward

    Office Servers and Services MVP

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, March 31, 2017 2:18 AM
  • Hi Trevor

    Here are the values of the above command

    Days              : 0
    Hours             : 1
    Minutes           : 0
    Seconds           : 0
    Milliseconds      : 0
    Ticks             : 36000000000
    TotalDays         : 0.0416666666666667
    TotalHours        : 1
    TotalMinutes      : 60
    TotalSeconds      : 3600
    TotalMilliseconds : 3600000

    Monday, April 3, 2017 4:25 AM
  • Hi,

    I know that you want to prevent users from downloading documents if they are logging from Internet.

    Per my test, if users first login from Intranet, and then they login from Internet immediately, the users are still able to download files from Internet.

    The behavior is caused by: SharePoint LogonToken is cached by distributed cache services, and by default the LogonTokenCacheExpirationWindow is 10 mins. That means, when users login from Intranet, their logon token will be created with cliams as they are accessing SharePoint from Intranet, and before the logon token expires, if they login from external again, SharePoint will noticed that there is a valid token for this user already, so SharePoint would not create another token for the user, instead, return the existing token to the user from Internet directly. As a result, users from Internet would be treated as from Intranet, so they get the download permsision.

    Here are two solutions for your reference:

    1. Change the LogonTokenCacheExpirationWindow to 1 mins. However, this would aggravate SharePoint security token service workload, and which may bring bad user experience.

    2. Give up the custom claim. Instead, using the following method:
    1) Extend the web application to a new web application to Internet Zone (with another port). Refer this article:
    2) Add a new user permission policy to Deny All Users download permssion, and apply the policy to Internet Zone. Refer this article:
    3) Publish the Internet zone web application to Internet, and limit the Default Zone access in intranet only.

    Dean Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, April 4, 2017 6:50 AM
  • Hi Dean,

    Thanks for your solution,let me try the second solution and keep you posted with an update.

    Tuesday, April 4, 2017 11:35 AM