ADFS, AD Groups, and Token Lifetime Configurations


  • I am working on a SharePoint farm that was setup with ADFS Claims instead of Windows Claims and I am trying to wrap my head around Token lifetimes. The issue we are seeing is if a user is added to an AD Group they do not receive access to the SharePoint site where the AD Group has been added previously. This is an expected behavior which I am used to dealing with, but what I am trying to figure out is how long the user needs to wait before their token will be refreshed and they will be able to access the SharePoint site. 

    Currently our SharePoint security token configuration has a LogonTokenCacheExpirationWindow of 10 Minutes. 

    The SharePoint Relying Party Trust in ADFS has a token lifetime of 480 minutes. 

    I am not sure which setting controls the token refresh, is it 10 minutes or 480 minutes? 

    Thursday, April 06, 2017 9:34 PM

All replies

  • Friday, April 07, 2017 7:15 AM
  • Hi

    Any update on the issue?

    Mark it as an answer if it helped you out. Regards Rahul Dagar

    Friday, April 14, 2017 6:57 AM
  • Hi,

    Any update on the problem?

    Mark it as an answer if it helped you out. Regards Rahul Dagar

    Monday, May 01, 2017 12:35 PM
  • Hello Rahul, 

    I have read over these articles multiple times and am still no confident in what needs to be changed. Here is what I have interpreted. 

    "For trusted providers like AD FS, the lifetime depends on the validity of the security token POSTed to SharePoint’s /_trust/ endpoint."

    I take this to mean that the lifetime of the token, and thus group membership, is determined by ADFS. So if I need to adjust the token lifetime for ADFS logins to SharePoint I need to adjust it on the ADFS server and drop it from 480 to whatever is acceptable for my environment to reflect AD Group changes. As opposed to changing the Windows token lifetime in SharePoint.

    What I am unsure of is the impact this will have to users. If I change the ADFS token lifetime to 30 minutes will users have to authenticate to SharePoint every 30 minutes? What happens if they have a document open for longer than 30 minutes? If in previous environments I have worked in, when I adjust the Windows token there really is no impact on users, I am assuming the STS gets a new token for the user silently without requiring interaction from the user. I am going to test this setting in our test environment to see the impact.

    Monday, May 01, 2017 1:27 PM