Active Directory Groups and Access Denied in Sharepoint 2013

By | May 27, 2014

Have you ever encountered this SharePoint issue where a certain user gets an Access Denied message when he accesses a certain resource in SharePoint and you already given that user the rights through a group in Active Directory?

Access Denied Sharepoint
You even tried to delete the user from SharePoint and even removed and re-added the used from the Active Directory groups and still nothing happens? You even tried to delete the access requests and let them do it again but still nothing happens.

Access Requests Sharepoint

Finally you thought it was a cache, so you deleted the cache and still nothing happens. WTH!!!

You got fed up and gave the user access through SharePoint and it works but it’s not a clean solution as you want to organize everything in Active Directory. You think you had done everything you can but still nothing works well not quite right as you need to change some settings in SharePoint specifically in the SharePoint 2013 Security Token Service (STS). In SharePoint 2013, the server-to-server security token service (STS) provides access tokens for server-to-server authentication and this maintains a session in which the same token from the same user is reused until it expires. This expiration is defaulted to 10 hours regardless its Forms based or Windows based, meaning anything you change now will only reflect after 10 hours. Now to change that is simply run a PowerShell script telling the new values you want, you can tell it to timeout of every minute but that’s ridiculous as it would be inefficient and may cause delays in login when there is a heavy load on your server. A good balance is a case by case scenario but for me I chose to do it every 15 minutes and I also instruct the server to get information from AD every 10 minutes, and here is my script.

$spSecurityToken = Get-SPSecurityTokenServiceConfig
$spSecurityToken.WindowsTokenLifetime = (New-TimeSpan -minutes 15)
$spSecurityToken.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 10)


3 thoughts on “Active Directory Groups and Access Denied in Sharepoint 2013

  1. Saurabh

    I tried all these steps but still getting access denied for some of the users added through active directory group…Is there any other solution I can try with?


Leave a Reply