Home > Work > Permissions delay when using Kerberos and Security Groups #SP2010 #SharePoint #in

Permissions delay when using Kerberos and Security Groups #SP2010 #SharePoint #in

At one of our clients recently we had a support issue concerning a delay in permissions being applied in a SharePoint 2010 environment.

Environment Details:

  • SharePoint Server 2010 – Enterprise: SP1 – Dec 2011 CU
  • Authentication: Kerberos

Scenario

  • Site Administrators add an Active Directory security group into a SharePoint group for permissions.
  • The security group has 9 users and permissions are applied accordingly.
  • Later down the line a system admin adds a users into the security group giving it 10 members instead.
  • No changes have been made to the SharePoint group security.

Problem

The 10th member is not immediately given the rights of the SharePoint group.  However, after some time has passed (with no changes being made), the permissions are applied to the 10th member.

The amount of time is not fixed but is definitely no more than a standard working day.

Solution

After investigation and replicating the issue back at the office, we found this:

http://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx

In particular, we found these settings:

Maximum lifetime for user ticket Determines the maximum amount of time (in hours) that a user’s TGT can be used. When a user’s TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours.
Maximum lifetime for user ticket renewal Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days.

So the issue is that the Kerberos token is being cached therefore the permissions are not being enforced until the token has expired.

Now, 10 hours to wait is a very long time but given that this is a forest wide setting, should we be changing this setting?  In this case we also realised that the token is re-issued whenever a user logs back in.

So when these issues occur and a support issue comes in we ask them to just log off and log back in again and then we are back to where we should be!

All sorted then…

To see this in action, we took a video to prove the scenario:

Advertisements
Categories: Work Tags: , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: