SharePoint 2016 OnPrem - Is It recommended to make changes to SecurityTokenServiceConfig

Question

Today we landed into a typical AD group to SharePoint group sync issue scenario.

Created a group in AD which has 10 users.

Update Site Permissions to set Visitors (Read) access to a SharePoint group.

On testing identified that few users are able to access the said site as normal. However others are not able to access.

On checking permissions, come to know that users who are not able to access do not show up in the respective SharePoint group (which is derived from the AD group).

On Googling came across this link SharePoint 2013 Active Directory Group not working

This link explained that it has to do with SecurityTokenServiceConfig settings.

Moreover this link SHAREPOINT 2013 : USE AD GROUPS ? YES, BUT…DON’T FORGET THE SECURITY TOKEN CACHING: LOGONTOKENCACHEEXPIRATIONWINDOW AND WINDOWSTOKENLIFETIME suggested to modify the WindowsTokenLifetime and LogonTokenCacheExpirationWindow properties.

Have been googling around to know whether doing such changes is correct or not. Kindly advise.

Also have run Full Sync of User Profile service. However, it didn't made any difference in permissions.

Answer 1

Changing the SecurityTokenServiceConfig settings are supported if follow the proper method ( using the powershell, as mentioned in the article).

We have to change these settings for one of our ADFS enabled farm, and use the same method. What value you have to pick its depend upon your environment.

Read this blog which cleanly explain it: SharePoint 2013 authentication lifetime settings