Tuesday, July 16, 2013

SharePoint 2013: AD group membership changes are not reflected on the site

[What you have]:

Web application with claims based authentication (which is by default) in SharePoint 2013, and the site to which you gave access via AD group.
You have added\removed a user from AD group, but  the site permissions won't reflect the changes for this user.

[Why]:

When a domain user logs on to SharePoint, the server will create a token that contains information about that user, along with any domain groups they may be a member of.  By default, SharePoint 2010 (as will SharePoint 2013) will hang on to this data for 24 hours, at which point the token will expire, and the next user logon will force a fresh token to be created.

[What to do]:
Run stsadm to change the default value 1440 minutes (24 hours)
for example, set 1 hours (60 minites)

stsadm.exe -o setproperty -propertyname token-timeout -propertyvalue 60
iisreset


You may also run into an additional problem related to Claims token cahce.
To resolve this, check this out