ADFS, AD Groups, and Token Lifetime Configurations


  • I am working on a SharePoint farm that was setup with ADFS Claims instead of Windows Claims and I am trying to wrap my head around Token lifetimes. The issue we are seeing is if a user is added to an AD Group they do not receive access to the SharePoint site where the AD Group has been added previously. This is an expected behavior which I am used to dealing with, but what I am trying to figure out is how long the user needs to wait before their token will be refreshed and they will be able to access the SharePoint site. 

    Currently our SharePoint security token configuration has a LogonTokenCacheExpirationWindow of 10 Minutes. 

    The SharePoint Relying Party Trust in ADFS has a token lifetime of 480 minutes. 

    I am not sure which setting controls the token refresh, is it 10 minutes or 480 minutes? 

    Thursday, April 6, 2017 9:34 PM

All replies